If attempting to detach a UBI device while it is still busy, detaching
is refused. However, the reference counter is still being decreased
despite the error. Rework detach function to only decrease the refcnt
once all conditions for detachment are met.
Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
Signed-off-by: Daniel Golle <[email protected]>
---
drivers/mtd/ubi/build.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 7d4ff1193db6f..f47987ee9a31b 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
spin_lock(&ubi_devices_lock);
put_device(&ubi->dev);
- ubi->ref_count -= 1;
- if (ubi->ref_count) {
+ if (ubi->ref_count > 1) {
if (!anyway) {
spin_unlock(&ubi_devices_lock);
return -EBUSY;
}
/* This may only happen if there is a bug */
ubi_err(ubi, "%s reference count %d, destroy anyway",
- ubi->ubi_name, ubi->ref_count);
+ ubi->ubi_name, ubi->ref_count - 1);
}
+ ubi->ref_count -= 1;
ubi_devices[ubi_num] = NULL;
spin_unlock(&ubi_devices_lock);
--
2.43.0
----- Ursprüngliche Mail -----
> Von: "Daniel Golle" <[email protected]>
> An: "richard" <[email protected]>, "Miquel Raynal" <[email protected]>, "Vignesh Raghavendra" <[email protected]>,
> "Artem Bityutskiy" <[email protected]>, "linux-mtd" <[email protected]>, "linux-kernel"
> <[email protected]>
> CC: "John Crispin" <[email protected]>
> Gesendet: Montag, 27. November 2023 18:09:14
> Betreff: [PATCH] ubi: don't decrease ubi->ref_count on detach error
> If attempting to detach a UBI device while it is still busy, detaching
> is refused. However, the reference counter is still being decreased
> despite the error. Rework detach function to only decrease the refcnt
> once all conditions for detachment are met.
>
> Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
> Signed-off-by: Daniel Golle <[email protected]>
Good catch! Did you find this by review or while testing?
> ---
> drivers/mtd/ubi/build.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 7d4ff1193db6f..f47987ee9a31b 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
>
> spin_lock(&ubi_devices_lock);
> put_device(&ubi->dev);
> - ubi->ref_count -= 1;
> - if (ubi->ref_count) {
> + if (ubi->ref_count > 1) {
Is there a specific reason why you have modified the check to test only
for ref_count being positive?
If rec_counts turns negative, due to a bug, we could still stop it here.
> if (!anyway) {
> spin_unlock(&ubi_devices_lock);
> return -EBUSY;
> }
> /* This may only happen if there is a bug */
> ubi_err(ubi, "%s reference count %d, destroy anyway",
> - ubi->ubi_name, ubi->ref_count);
> + ubi->ubi_name, ubi->ref_count - 1);
> }
> + ubi->ref_count -= 1;
Please add there an ubi_asert() which tests whether ref_count is really zero.
...just to be more bullet proof.
Thanks,
//richard
Hi Richard,
On Mon, Nov 27, 2023 at 09:25:58PM +0100, Richard Weinberger wrote:
> > If attempting to detach a UBI device while it is still busy, detaching
> > is refused. However, the reference counter is still being decreased
> > despite the error. Rework detach function to only decrease the refcnt
> > once all conditions for detachment are met.
> >
> > Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
> > Signed-off-by: Daniel Golle <[email protected]>
>
> Good catch! Did you find this by review or while testing?
I was working on simplifying the NVMEM-on-UBI code which includes
attaching UBI via MTD notifiers. You and others had rightously
criticized the sketchy situation of the 'remove' handler which has now
lead me to rework that part of my patches, which made me end up looking
at the ref_count logic and error path at some point it popped into my
eyes that this can't be right.
>
> > ---
> > drivers/mtd/ubi/build.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> > index 7d4ff1193db6f..f47987ee9a31b 100644
> > --- a/drivers/mtd/ubi/build.c
> > +++ b/drivers/mtd/ubi/build.c
> > @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
> >
> > spin_lock(&ubi_devices_lock);
> > put_device(&ubi->dev);
> > - ubi->ref_count -= 1;
> > - if (ubi->ref_count) {
> > + if (ubi->ref_count > 1) {
>
> Is there a specific reason why you have modified the check to test only
> for ref_count being positive?
My idea was to really change only what I meant to change and make
that change the least intrusive possible.
> If rec_counts turns negative, due to a bug, we could still stop it here.
... here and in every other pleace where we touch it?
Adding new sanity checks to the code probably doesn't hurt but goes
beyond the scope of fixing this very bug, so I'll only do it there for
now.
>
> > if (!anyway) {
> > spin_unlock(&ubi_devices_lock);
> > return -EBUSY;
> > }
> > /* This may only happen if there is a bug */
> > ubi_err(ubi, "%s reference count %d, destroy anyway",
> > - ubi->ubi_name, ubi->ref_count);
> > + ubi->ubi_name, ubi->ref_count - 1);
> > }
> > + ubi->ref_count -= 1;
>
> Please add there an ubi_asert() which tests whether ref_count is really zero.
> ...just to be more bullet proof.
That makes sense, now that it became clear that ref_count wasn't
trustable for more than a decade, let's better make sure it is now.
If attempting to detach a UBI device while it is still busy, detaching
is refused. However, the reference counter is still being decreased
despite the error. Rework detach function to only decrease the reference
counter once all conditions for detachment are met.
Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
Signed-off-by: Daniel Golle <[email protected]>
---
v2: also catch negative ref_count and add ubi_assert as suggested
drivers/mtd/ubi/build.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 7d4ff1193db6f..2316f6014c7f5 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1099,16 +1099,17 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
spin_lock(&ubi_devices_lock);
put_device(&ubi->dev);
- ubi->ref_count -= 1;
- if (ubi->ref_count) {
+ if (ubi->ref_count != 1) {
if (!anyway) {
spin_unlock(&ubi_devices_lock);
return -EBUSY;
}
/* This may only happen if there is a bug */
ubi_err(ubi, "%s reference count %d, destroy anyway",
- ubi->ubi_name, ubi->ref_count);
+ ubi->ubi_name, ubi->ref_count - 1);
}
+ ubi->ref_count -= 1;
+ ubi_assert(ubi->ref_count == 0);
ubi_devices[ubi_num] = NULL;
spin_unlock(&ubi_devices_lock);
--
2.43.0
?? 2023/11/28 8:45, Daniel Golle д??:
> If attempting to detach a UBI device while it is still busy, detaching
> is refused. However, the reference counter is still being decreased
> despite the error. Rework detach function to only decrease the reference
> counter once all conditions for detachment are met.
>
> Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
> Signed-off-by: Daniel Golle <[email protected]>
> ---
> v2: also catch negative ref_count and add ubi_assert as suggested
>
> drivers/mtd/ubi/build.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
Reviewed-by: Zhihao Cheng <[email protected]>
>
> diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> index 7d4ff1193db6f..2316f6014c7f5 100644
> --- a/drivers/mtd/ubi/build.c
> +++ b/drivers/mtd/ubi/build.c
> @@ -1099,16 +1099,17 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
>
> spin_lock(&ubi_devices_lock);
> put_device(&ubi->dev);
> - ubi->ref_count -= 1;
> - if (ubi->ref_count) {
> + if (ubi->ref_count != 1) {
> if (!anyway) {
> spin_unlock(&ubi_devices_lock);
> return -EBUSY;
> }
> /* This may only happen if there is a bug */
> ubi_err(ubi, "%s reference count %d, destroy anyway",
> - ubi->ubi_name, ubi->ref_count);
> + ubi->ubi_name, ubi->ref_count - 1);
> }
> + ubi->ref_count -= 1;
> + ubi_assert(ubi->ref_count == 0);
> ubi_devices[ubi_num] = NULL;
> spin_unlock(&ubi_devices_lock);
>