| Message ID | 9857609999c5b7196417474938a7a09892cd1612.1701104870.git.daniel@makrotopia.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ubi: don't decrease ubi->ref_count on detach error | expand |
----- Ursprüngliche Mail ----- > Von: "Daniel Golle" <daniel@makrotopia.org> > An: "richard" <richard@nod.at>, "Miquel Raynal" <miquel.raynal@bootlin.com>, "Vignesh Raghavendra" <vigneshr@ti.com>, > "Artem Bityutskiy" <Artem.Bityutskiy@nokia.com>, "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" > <linux-kernel@vger.kernel.org> > CC: "John Crispin" <john@phrozen.org> > Gesendet: Montag, 27. November 2023 18:09:14 > Betreff: [PATCH] ubi: don't decrease ubi->ref_count on detach error > If attempting to detach a UBI device while it is still busy, detaching > is refused. However, the reference counter is still being decreased > despite the error. Rework detach function to only decrease the refcnt > once all conditions for detachment are met. > > Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions") > Signed-off-by: Daniel Golle <daniel@makrotopia.org> Good catch! Did you find this by review or while testing? > --- > drivers/mtd/ubi/build.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > index 7d4ff1193db6f..f47987ee9a31b 100644 > --- a/drivers/mtd/ubi/build.c > +++ b/drivers/mtd/ubi/build.c > @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway) > > spin_lock(&ubi_devices_lock); > put_device(&ubi->dev); > - ubi->ref_count -= 1; > - if (ubi->ref_count) { > + if (ubi->ref_count > 1) { Is there a specific reason why you have modified the check to test only for ref_count being positive? If rec_counts turns negative, due to a bug, we could still stop it here. > if (!anyway) { > spin_unlock(&ubi_devices_lock); > return -EBUSY; > } > /* This may only happen if there is a bug */ > ubi_err(ubi, "%s reference count %d, destroy anyway", > - ubi->ubi_name, ubi->ref_count); > + ubi->ubi_name, ubi->ref_count - 1); > } > + ubi->ref_count -= 1; Please add there an ubi_asert() which tests whether ref_count is really zero. ...just to be more bullet proof. Thanks, //richard
Hi Richard, On Mon, Nov 27, 2023 at 09:25:58PM +0100, Richard Weinberger wrote: > > If attempting to detach a UBI device while it is still busy, detaching > > is refused. However, the reference counter is still being decreased > > despite the error. Rework detach function to only decrease the refcnt > > once all conditions for detachment are met. > > > > Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions") > > Signed-off-by: Daniel Golle <daniel@makrotopia.org> > > Good catch! Did you find this by review or while testing? I was working on simplifying the NVMEM-on-UBI code which includes attaching UBI via MTD notifiers. You and others had rightously criticized the sketchy situation of the 'remove' handler which has now lead me to rework that part of my patches, which made me end up looking at the ref_count logic and error path at some point it popped into my eyes that this can't be right. > > > --- > > drivers/mtd/ubi/build.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > > index 7d4ff1193db6f..f47987ee9a31b 100644 > > --- a/drivers/mtd/ubi/build.c > > +++ b/drivers/mtd/ubi/build.c > > @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway) > > > > spin_lock(&ubi_devices_lock); > > put_device(&ubi->dev); > > - ubi->ref_count -= 1; > > - if (ubi->ref_count) { > > + if (ubi->ref_count > 1) { > > Is there a specific reason why you have modified the check to test only > for ref_count being positive? My idea was to really change only what I meant to change and make that change the least intrusive possible. > If rec_counts turns negative, due to a bug, we could still stop it here. ... here and in every other pleace where we touch it? Adding new sanity checks to the code probably doesn't hurt but goes beyond the scope of fixing this very bug, so I'll only do it there for now. > > > if (!anyway) { > > spin_unlock(&ubi_devices_lock); > > return -EBUSY; > > } > > /* This may only happen if there is a bug */ > > ubi_err(ubi, "%s reference count %d, destroy anyway", > > - ubi->ubi_name, ubi->ref_count); > > + ubi->ubi_name, ubi->ref_count - 1); > > } > > + ubi->ref_count -= 1; > > Please add there an ubi_asert() which tests whether ref_count is really zero. > ...just to be more bullet proof. That makes sense, now that it became clear that ref_count wasn't trustable for more than a decade, let's better make sure it is now.
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index 7d4ff1193db6f..f47987ee9a31b 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway) spin_lock(&ubi_devices_lock); put_device(&ubi->dev); - ubi->ref_count -= 1; - if (ubi->ref_count) { + if (ubi->ref_count > 1) { if (!anyway) { spin_unlock(&ubi_devices_lock); return -EBUSY; } /* This may only happen if there is a bug */ ubi_err(ubi, "%s reference count %d, destroy anyway", - ubi->ubi_name, ubi->ref_count); + ubi->ubi_name, ubi->ref_count - 1); } + ubi->ref_count -= 1; ubi_devices[ubi_num] = NULL; spin_unlock(&ubi_devices_lock);
If attempting to detach a UBI device while it is still busy, detaching is refused. However, the reference counter is still being decreased despite the error. Rework detach function to only decrease the refcnt once all conditions for detachment are met. Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions") Signed-off-by: Daniel Golle <daniel@makrotopia.org> --- drivers/mtd/ubi/build.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)