From 616128f7f0450f747fa4a8b6382d1ebd4a672fe0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pali=20Roh=C3=A1r?= Date: Mon, 30 May 2022 11:09:11 +0200 Subject: [PATCH] ubifs: Fix reference count leak in ubifsumount MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Original ubifs code was designed that after ubifs_umount() call it is required to also call ubi_close_volume() which closes underlying UBI volume. But U-Boot ubifs modification have not implemented it properly which caused that ubifsumount command contains resource leak. It can be observed by calling simple sequence of commands: => ubi part mtd2 ubi0: attaching mtd2 ... => ubifsmount ubi0 => ubifsumount Unmounting UBIFS volume rootfs! => ubi detach ubi0 error: ubi_detach_mtd_dev: ubi0 reference count 1, destroy anyway ubi0: detaching mtd2 ubi0: mtd2 is detached Fix this issue by calling ubi_close_volume() and mutex_unlock() in directly in ubifs_umount() function before freeing U-Boot's global ubifs_sb. And remove duplicate calls of these two functions in remaining places. Note that when ubifs_umount() is not called then during error handling is still needed to call ubi_close_volume() and mutex_unlock. With this change ubifsumount command does not throw that error anymore: => ubi part rootfs ubi0: attaching mtd2 ... => ubifsmount ubi0 => ubifsumount Unmounting UBIFS volume rootfs! => ubi detach ubi0: detaching mtd2 ubi0: mtd2 is detached Signed-off-by: Pali Rohár --- fs/ubifs/super.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index e3a4c0bca2..034c41a703 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -1757,6 +1757,8 @@ void ubifs_umount(struct ubifs_info *c) kfree(c->bottom_up_buf); ubifs_debugging_exit(c); #ifdef __UBOOT__ + ubi_close_volume(c->ubi); + mutex_unlock(&c->umount_mutex); /* Finally free U-Boot's global copy of superblock */ if (ubifs_sb != NULL) { free(ubifs_sb->s_fs_info); @@ -2058,9 +2060,9 @@ static void ubifs_put_super(struct super_block *sb) ubifs_umount(c); #ifndef __UBOOT__ bdi_destroy(&c->bdi); -#endif ubi_close_volume(c->ubi); mutex_unlock(&c->umount_mutex); +#endif } #endif @@ -2327,6 +2329,9 @@ static int ubifs_fill_super(struct super_block *sb, void *data, int silent) out_umount: ubifs_umount(c); +#ifdef __UBOOT__ + goto out; +#endif out_unlock: mutex_unlock(&c->umount_mutex); #ifndef __UBOOT__ -- 2.39.5