[PATCH 0/2] mtd/ftl: fix the double free of buffers

Kevin Hao haokexin at gmail.com
Wed Jul 2 19:11:03 PDT 2014


On Wed, Jul 02, 2014 at 05:37:40PM -0700, Brian Norris wrote:
> Considering the nature of the panic, this sounds like a -stable fix. Can
> you elaborate on how you confirmed this is the bug? You didn't paste
> sufficient logging/details to show which code paths you are exercising
> in ftl.c. One hand, it sounds like scan_header() might have returned
> non-zero (which skips build_maps()), and on the other hand, you say the
> double-free occurs because both build_maps() and ftl_freepart() are
> freeing the same buffers.

Sorry for the confusion. It is the build_maps() that returns non-zero instead
of scan_header(). In function build_maps() it will allocate the buffers needed
by the mtd partition, but if something goes wrong such as kmalloc failure, mtd
read error or invalid partition header parameter, it will free all allocated
buffers and then return non-zero. In my case, it seems that partition header
parameter 'NumTransferUnits' is invalid.

And the ftl_freepart() is a function which free all the partition buffers
allocated by build_maps(). Given the build_maps() is a self cleaning function,
so there is no need to invoke this function even if build_maps() return with
error.

> 
> I'd just like to fill in my understanding a little better, if I'm going
> to send this as a -stable fix. Plus, we might want to add some details
> to the patch 2 commit message, instead of just in this cover letter.

OK, I will respin the patch 2 to add more detail in the commit log.

Thanks,
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-mtd/attachments/20140703/3eb9d573/attachment.sig>


More information about the linux-mtd mailing list