Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1308260ybl;
        Tue, 3 Dec 2019 05:14:43 -0800 (PST)
X-Google-Smtp-Source: APXvYqzjrsWtiRBEpzpskeBcM7WouTgSHtFAqphMI3UyRctA+7+KSsy0xEs9un9szuPpNLZIRWS8
X-Received: by 2002:a54:4407:: with SMTP id k7mr3600327oiw.56.1575378883381;
        Tue, 03 Dec 2019 05:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575378883; cv=none;
        d=google.com; s=arc-20160816;
        b=uGhn7aFAvi6gSkZy9f5CkNoDFZ8qhaZMAW6/o9dHfLKE2KXXStsoEdWfb3QTz+Gry6
         +VIV43J/1gjW/ZDtQe55kRuff9mgmHL19Bsg9JxmmjXDL8hvchFGsW0OnZLBxC2otiGu
         MuQYPGPc/sIGq6/whlN41KcbBOfGIcTLpfVrgT7jnUBfj7R5Bh8cii6QU4D+0q5dZFpH
         7kRDCh5b5wlQ44rzuMkqVany/mnI9HCnq69k3An2X8GED/n7Io5Iua0ai9xo7wsvBBFO
         qEANA6dQj+uO71fY/cLvYdm4Vx6+VZ199raeVc82NjA8i4+N4fwQo7/T2kbojWi2M32+
         K8XA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=yEzhnuOInFN5jhrZbY+k7exN9YwQd2zvTg/XpFkoO7Y=;
        b=tmtt0F73jbGf93ULdrnQjPNvvhKCsSeHyOXZ6a9r8nmILWQHHEBqduuQKHyuaxIu4D
         TvVYwQwkTwcwW+6RfeHUZpa+DkjvONCwgVgcBG9yf8Us3eutzHLcxY4I0+fdUAs9xpp5
         CDLNpeJMgFnOFAK6iKFzMhR0TCELsBcMhAyx2BpFf+zL6mzU8OHCIIPXYRYlV2H4am7v
         SM7qX+zj2xCYiuMNPc2Z/yckhlQy0qrEL/BTLh9ku2ndVxMNOlr+2hqTNbeWHFdBlONW
         /4+q/gPKeLqZEd2us6/QQgQsaelVUBGYQZETzn1TqFvte3D8b7poYlDHczM5+AOpfGn5
         CvwA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t7si1173762otl.133.2019.12.03.05.14.30;
        Tue, 03 Dec 2019 05:14:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726443AbfLCNNH (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Tue, 3 Dec 2019 08:13:07 -0500
Received: from szxga07-in.huawei.com ([45.249.212.35]:38946 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725954AbfLCNNG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Dec 2019 08:13:06 -0500
Received: from DGGEMS414-HUB.china.huawei.com (unknown [172.30.72.59])
        by Forcepoint Email with ESMTP id 0A6C04729755A59EEE63;
        Tue,  3 Dec 2019 21:13:03 +0800 (CST)
Received: from [127.0.0.1] (10.133.219.224) by DGGEMS414-HUB.china.huawei.com
 (10.3.19.214) with Microsoft SMTP Server id 14.3.439.0; Tue, 3 Dec 2019
 21:13:01 +0800
Subject: Re: [PATCH] UBI: fix use after free in ubi_remove_volume()
To:     Wen Yang <wenyang@linux.alibaba.com>,
        Richard Weinberger <richard@nod.at>,
        Miquel Raynal <miquel.raynal@bootlin.com>,
        Vignesh Raghavendra <vigneshr@ti.com>
CC:     <linux-kernel@vger.kernel.org>, <linux-mtd@lists.infradead.org>,
        <xlpang@linux.alibaba.com>
References: <20191130093317.31352-1-wenyang@linux.alibaba.com>
From:   Hou Tao <houtao1@huawei.com>
Message-ID: <65b49705-e28c-e077-c0de-c5167e34d1c5@huawei.com>
Date:   Tue, 3 Dec 2019 21:13:01 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20191130093317.31352-1-wenyang@linux.alibaba.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.133.219.224]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Reviewed-by: Hou Tao <houtao1@huawei.com>

On 2019/11/30 17:33, Wen Yang wrote:
> We can't use "vol" after it has been freed.
> 
> Fixes: 493cfaeaa0c9 ("mtd: utilize new cdev_device_add helper function")
> Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
> Cc: Richard Weinberger <richard@nod.at>
> Cc: Miquel Raynal <miquel.raynal@bootlin.com>
> Cc: Vignesh Raghavendra <vigneshr@ti.com>
> Cc: linux-mtd@lists.infradead.org
> Cc: linux-kernel@vger.kernel.org
> ---
>  drivers/mtd/ubi/vmt.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
> index 139ee13..8ff1478 100644
> --- a/drivers/mtd/ubi/vmt.c
> +++ b/drivers/mtd/ubi/vmt.c
> @@ -375,7 +375,6 @@ int ubi_remove_volume(struct ubi_volume_desc *desc, int no_vtbl)
>  	}
>  
>  	cdev_device_del(&vol->cdev, &vol->dev);
> -	put_device(&vol->dev);
>  
>  	spin_lock(&ubi->volumes_lock);
>  	ubi->rsvd_pebs -= reserved_pebs;
> @@ -388,6 +387,8 @@ int ubi_remove_volume(struct ubi_volume_desc *desc, int no_vtbl)
>  	if (!no_vtbl)
>  		self_check_volumes(ubi);
>  
> +	put_device(&vol->dev);
> +
>  	return 0;
>  
>  out_err:
>