[PATCH] fs: jffs2: remove slab cache substitute with malloc

Sascha Hauer sha at pengutronix.de
Mon Nov 22 01:26:55 PST 2021 

On Mon, Nov 22, 2021 at 09:49:35AM +0100, Ahmad Fatoum wrote:
> On 19.11.21 11:10, Holger Assmann wrote:
> > From: Sascha Hauer <s.hauer at pengutronix.de>
> > 
> > Function jffs2_create_slab_caches() was called by the probing stage
> > every time a new jffs2 volume was mounted. This has lead to the memory
> > allocation pointers for slab caches to become overwritten. As a result
> > the system crashes at least when trying to unmount more than one volume.
> 
> Freeing data still in use is a bug.
> 
> > In Barebox, the respective (pseudo) slab caches are designed to work as a
> > substitute when code gets ported from Linux. They are no real caches, but
> > function as an interface for malloc and can therefore directly be replaced
> > by it.
> 
> Replacing one API with another is clean up and not really related to the
> issue here.

The bug in the jffs2 code is that it allocates global data structures in
probe():

	...
        jffs2_compressors_init();
	...
	jffs2_create_slab_caches();
	...

jffs2_create_slab_caches() has several calls to kmem_cache_create()
which does nothing more than allocating the context data structure for
the kmem_cache. Probing a second jffs2 will overwrite the pointers
returned by kmem_cache_create() leading to a double free when it the
two jffs2 fs are unmounted and jffs2_destroy_slab_caches() is called.
Replacing the kmem_caches with pure malloc indeed fixes this as it makes
allocating of kmem_cache context structure unnecessary.

jffs2_compressors_init() has the same problem. We still need this
function though, so the solution here is to introduce a reference
counting so that it is done exactly once in the first probe().

We can introduce the reference counting for both
jffs2_compressors_init() and jffs2_create_slab_caches() in patch 1/2
and replace kmem_cache with malloc in 2/2. Then 2/2 would indeed only be
a cleanup.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list