From b185d453fd910d3f0197d0dfade939e562a3a9a6 Mon Sep 17 00:00:00 2001
From: Holger Assmann <h.assmann@pengutronix.de>
Date: Mon, 29 Nov 2021 13:45:44 +0100
Subject: fs: jffs2: introduce reference counting at probe

The Barebox jffs2 driver initialises global slab caches and compressors
within the probing stage [1]. In Barebox, jffs2_create_slab_caches() has
several calls to kmem_cache_create() which does nothing more than
allocating the context data structure for the kmem_cache.

Probing a second jffs2 however will overwrite the original pointers
returned by kmem_cache_create(), leading to a double free when more than
one jffs2 file system gets unmounted and jffs2_destroy_slab_caches() is
called. The same issue exists regarding jffs2_compressors_init().

We can fix this bug by introducing reference counting for both the slab
caches and the compressors so that the global data structures are kept
as long as at least one file system is present.

[1] jffs2_compressors_init(), jffs2_create_slab_caches() in probe()

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
Link: https://lore.barebox.org/20211129124545.14171-2-h.assmann@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/jffs2/fs.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index f094291aa4..ace592d973 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -397,6 +397,8 @@ void jffs2_flash_cleanup(struct jffs2_sb_info *c) {
 	}
 }
 
+static int jffs2_probe_cnt;
+
 static int jffs2_probe(struct device_d *dev)
 {
 	struct fs_device_d *fsdev;
@@ -419,17 +421,19 @@ static int jffs2_probe(struct device_d *dev)
 
 	sb->s_fs_info = ctx;
 
-        ret = jffs2_compressors_init();
-        if (ret) {
-		pr_err("error: Failed to initialise compressors\n");
-		goto err_out;
-        }
+	if (!jffs2_probe_cnt) {
+		ret = jffs2_compressors_init();
+		if (ret) {
+			pr_err("error: Failed to initialise compressors\n");
+			goto err_out;
+		}
 
-        ret = jffs2_create_slab_caches();
-        if (ret) {
-		pr_err("error: Failed to initialise slab caches\n");
-		goto err_compressors;
-        }
+		ret = jffs2_create_slab_caches();
+		if (ret) {
+			pr_err("error: Failed to initialise slab caches\n");
+			goto err_compressors;
+		}
+	}
 
         if (jffs2_fill_super(fsdev, 0)) {
 		dev_err(dev, "no valid jffs2 found\n");
@@ -437,6 +441,8 @@ static int jffs2_probe(struct device_d *dev)
 		goto err_slab;
 	}
 
+	jffs2_probe_cnt++;
+
 	return 0;
 
 err_slab:
@@ -456,8 +462,12 @@ static void jffs2_remove(struct device_d *dev)
 	fsdev = dev_to_fs_device(dev);
 	sb = &fsdev->sb;
 
-	jffs2_destroy_slab_caches();
-	jffs2_compressors_exit();
+	jffs2_probe_cnt--;
+
+	if (!jffs2_probe_cnt) {
+		jffs2_destroy_slab_caches();
+		jffs2_compressors_exit();
+	}
 
 	jffs2_put_super(sb);
 }
-- 
cgit v1.2.3