diff options
author | Miquel Raynal <miquel.raynal@bootlin.com> | 2023-07-31 11:09:03 +0200 |
---|---|---|
committer | Miquel Raynal <miquel.raynal@bootlin.com> | 2023-08-04 09:01:56 +0200 |
commit | 264725e35fbc3b67e053a405e022393a6017e6da (patch) | |
tree | f9cb1a4bc3dd79f9cb3d55cb871043e60cc9e4be /drivers/mtd/mtdcore.c | |
parent | mtd: fix use-after-free in mtd release (diff) | |
download | linux-264725e35fbc3b67e053a405e022393a6017e6da.tar.xz linux-264725e35fbc3b67e053a405e022393a6017e6da.zip |
mtd: Clean refcounting with MTD_PARTITIONED_MASTER
The logic is way too convoluted, let's clean the kref_get/put section to
clarify what this block does when using CONFIG_MTD_PARTITIONED_MASTER:
- Iterate through all the parent mtd devices
- Grab a reference over them all but the master
- Only grab the master whith CONFIG_MTD_PARTITIONED_MASTER
Same logic must apply in the put path, otherwise it would be broken.
Cc: Tomas Winkler <tomas.winkler@intel.com>
Cc: Alexander Usyskin <alexander.usyskin@intel.com>
Cc: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Fixes: 19bfa9ebebb5 ("mtd: use refcount to prevent corruption")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://lore.kernel.org/linux-mtd/20230731090903.770277-1-miquel.raynal@bootlin.com
Diffstat (limited to 'drivers/mtd/mtdcore.c')
-rw-r--r-- | drivers/mtd/mtdcore.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index 46f15f676491..9bd661be3ae9 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c @@ -1247,14 +1247,15 @@ int __get_mtd_device(struct mtd_info *mtd) return -ENODEV; } - kref_get(&mtd->refcnt); - - while (mtd->parent) { - if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER) || mtd->parent != master) - kref_get(&mtd->parent->refcnt); + while (mtd) { + if (mtd != master) + kref_get(&mtd->refcnt); mtd = mtd->parent; } + if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER)) + kref_get(&master->refcnt); + return 0; } EXPORT_SYMBOL_GPL(__get_mtd_device); @@ -1338,10 +1339,12 @@ void __put_mtd_device(struct mtd_info *mtd) { struct mtd_info *master = mtd_get_master(mtd); - while (mtd != master) { + while (mtd) { + /* kref_put() can relese mtd, so keep a reference mtd->parent */ struct mtd_info *parent = mtd->parent; - kref_put(&mtd->refcnt, mtd_device_release); + if (mtd != master) + kref_put(&mtd->refcnt, mtd_device_release); mtd = parent; } |