[PATCH v2 1/2] fs: jffs2: introduce reference counting at probe

Mon Nov 29 04:45:44 PST 2021

The Barebox jffs2 driver initialises global slab caches and compressors
within the probing stage [1]. In Barebox, jffs2_create_slab_caches() has
several calls to kmem_cache_create() which does nothing more than
allocating the context data structure for the kmem_cache.

Probing a second jffs2 however will overwrite the original pointers
returned by kmem_cache_create(), leading to a double free when more than
one jffs2 file system gets unmounted and jffs2_destroy_slab_caches() is
called. The same issue exists regarding jffs2_compressors_init().

We can fix this bug by introducing reference counting for both the slab
caches and the compressors so that the global data structures are kept
as long as at least one file system is present.

[1] jffs2_compressors_init(), jffs2_create_slab_caches() in probe()

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
Signed-off-by: Holger Assmann <h.assmann at pengutronix.de>
---
 fs/jffs2/fs.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index c1d04c397d..7538252336 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -386,6 +386,8 @@ void jffs2_flash_cleanup(struct jffs2_sb_info *c) {
 	}
 }
 
+static int jffs2_probe_cnt;
+
 static int jffs2_probe(struct device_d *dev)
 {
 	struct fs_device_d *fsdev;
@@ -408,17 +410,19 @@ static int jffs2_probe(struct device_d *dev)
 
 	sb->s_fs_info = ctx;
 
-        ret = jffs2_compressors_init();
-        if (ret) {
-		pr_err("error: Failed to initialise compressors\n");
-		goto err_out;
-        }
+	if (!jffs2_probe_cnt) {
+		ret = jffs2_compressors_init();
+		if (ret) {
+			pr_err("error: Failed to initialise compressors\n");
+			goto err_out;
+		}
 
-        ret = jffs2_create_slab_caches();
-        if (ret) {
-		pr_err("error: Failed to initialise slab caches\n");
-		goto err_compressors;
-        }
+		ret = jffs2_create_slab_caches();
+		if (ret) {
+			pr_err("error: Failed to initialise slab caches\n");
+			goto err_compressors;
+		}
+	}
 
         if (jffs2_fill_super(fsdev, 0)) {
 		dev_err(dev, "no valid jffs2 found\n");
@@ -426,6 +430,8 @@ static int jffs2_probe(struct device_d *dev)
 		goto err_slab;
 	}
 
+	jffs2_probe_cnt++;
+
 	return 0;
 
 err_slab:
@@ -445,8 +451,12 @@ static void jffs2_remove(struct device_d *dev)
 	fsdev = dev_to_fs_device(dev);
 	sb = &fsdev->sb;
 
-	jffs2_destroy_slab_caches();
-	jffs2_compressors_exit();
+	jffs2_probe_cnt--;
+
+	if (!jffs2_probe_cnt) {
+		jffs2_destroy_slab_caches();
+		jffs2_compressors_exit();
+	}
 
 	jffs2_put_super(sb);
 }
-- 
2.30.2


