Re: [PATCH] ubi: don't decrease ubi->ref_count on detach error

From: Daniel Golle <daniel@makrotopia.org>
To: Richard Weinberger <richard@nod.at>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
	Vignesh Raghavendra <vigneshr@ti.com>,
	Artem Bityutskiy <Artem.Bityutskiy@nokia.com>,
	linux-mtd <linux-mtd@lists.infradead.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	John Crispin <john@phrozen.org>
Subject: Re: [PATCH] ubi: don't decrease ubi->ref_count on detach error
Date: Mon, 27 Nov 2023 22:06:50 +0000	[thread overview]
Message-ID: <ZWUS-mjWIcIFXvY5@makrotopia.org> (raw)
In-Reply-To: <771902199.32600.1701116758852.JavaMail.zimbra@nod.at>

Hi Richard,

On Mon, Nov 27, 2023 at 09:25:58PM +0100, Richard Weinberger wrote:
> > If attempting to detach a UBI device while it is still busy, detaching
> > is refused. However, the reference counter is still being decreased
> > despite the error. Rework detach function to only decrease the refcnt
> > once all conditions for detachment are met.
> > 
> > Fixes: cdfa788acd13 ("UBI: prepare attach and detach functions")
> > Signed-off-by: Daniel Golle <daniel@makrotopia.org>
> 
> Good catch! Did you find this by review or while testing?

I was working on simplifying the NVMEM-on-UBI code which includes
attaching UBI via MTD notifiers. You and others had rightously
criticized the sketchy situation of the 'remove' handler which has now
lead me to rework that part of my patches, which made me end up looking
at the ref_count logic and error path at some point it popped into my
eyes that this can't be right.

> 
> > ---
> > drivers/mtd/ubi/build.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
> > index 7d4ff1193db6f..f47987ee9a31b 100644
> > --- a/drivers/mtd/ubi/build.c
> > +++ b/drivers/mtd/ubi/build.c
> > @@ -1099,16 +1099,16 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
> > 
> > 	spin_lock(&ubi_devices_lock);
> > 	put_device(&ubi->dev);
> > -	ubi->ref_count -= 1;
> > -	if (ubi->ref_count) {
> > +	if (ubi->ref_count > 1) {
> 
> Is there a specific reason why you have modified the check to test only
> for ref_count being positive?

My idea was to really change only what I meant to change and make
that change the least intrusive possible.

> If rec_counts turns negative, due to a bug, we could still stop it here.

... here and in every other pleace where we touch it?
Adding new sanity checks to the code probably doesn't hurt but goes
beyond the scope of fixing this very bug, so I'll only do it there for
now.

> 
> > 		if (!anyway) {
> > 			spin_unlock(&ubi_devices_lock);
> > 			return -EBUSY;
> > 		}
> > 		/* This may only happen if there is a bug */
> > 		ubi_err(ubi, "%s reference count %d, destroy anyway",
> > -			ubi->ubi_name, ubi->ref_count);
> > +			ubi->ubi_name, ubi->ref_count - 1);
> > 	}
> > +	ubi->ref_count -= 1;
> 
> Please add there an ubi_asert() which tests whether ref_count is really zero.
> ...just to be more bullet proof.

That makes sense, now that it became clear that ref_count wasn't
trustable for more than a decade, let's better make sure it is now.

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/