summaryrefslogtreecommitdiffstats
path: root/drivers/mtd/mtdcore.c
diff options
context:
space:
mode:
authorMiquel Raynal <miquel.raynal@bootlin.com>2023-07-31 11:09:03 +0200
committerMiquel Raynal <miquel.raynal@bootlin.com>2023-08-04 09:01:56 +0200
commit264725e35fbc3b67e053a405e022393a6017e6da (patch)
treef9cb1a4bc3dd79f9cb3d55cb871043e60cc9e4be /drivers/mtd/mtdcore.c
parentmtd: fix use-after-free in mtd release (diff)
downloadlinux-264725e35fbc3b67e053a405e022393a6017e6da.tar.xz
linux-264725e35fbc3b67e053a405e022393a6017e6da.zip
mtd: Clean refcounting with MTD_PARTITIONED_MASTER
The logic is way too convoluted, let's clean the kref_get/put section to clarify what this block does when using CONFIG_MTD_PARTITIONED_MASTER: - Iterate through all the parent mtd devices - Grab a reference over them all but the master - Only grab the master whith CONFIG_MTD_PARTITIONED_MASTER Same logic must apply in the put path, otherwise it would be broken. Cc: Tomas Winkler <tomas.winkler@intel.com> Cc: Alexander Usyskin <alexander.usyskin@intel.com> Cc: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Fixes: 19bfa9ebebb5 ("mtd: use refcount to prevent corruption") Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Tested-by: Alexander Usyskin <alexander.usyskin@intel.com> Link: https://lore.kernel.org/linux-mtd/20230731090903.770277-1-miquel.raynal@bootlin.com
Diffstat (limited to 'drivers/mtd/mtdcore.c')
-rw-r--r--drivers/mtd/mtdcore.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index 46f15f676491..9bd661be3ae9 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -1247,14 +1247,15 @@ int __get_mtd_device(struct mtd_info *mtd)
return -ENODEV;
}
- kref_get(&mtd->refcnt);
-
- while (mtd->parent) {
- if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER) || mtd->parent != master)
- kref_get(&mtd->parent->refcnt);
+ while (mtd) {
+ if (mtd != master)
+ kref_get(&mtd->refcnt);
mtd = mtd->parent;
}
+ if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER))
+ kref_get(&master->refcnt);
+
return 0;
}
EXPORT_SYMBOL_GPL(__get_mtd_device);
@@ -1338,10 +1339,12 @@ void __put_mtd_device(struct mtd_info *mtd)
{
struct mtd_info *master = mtd_get_master(mtd);
- while (mtd != master) {
+ while (mtd) {
+ /* kref_put() can relese mtd, so keep a reference mtd->parent */
struct mtd_info *parent = mtd->parent;
- kref_put(&mtd->refcnt, mtd_device_release);
+ if (mtd != master)
+ kref_put(&mtd->refcnt, mtd_device_release);
mtd = parent;
}