<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/mtd/ubi/fastmap.c, branch v5.9</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>ubi: Select fastmap anchor PEBs considering wear level rules</title>
<updated>2020-06-02T20:53:05+00:00</updated>
<author>
<name>Arne Edholm</name>
<email>arne.edholm@axis.com</email>
</author>
<published>2020-01-13T14:56:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4b68bf9a69d22dd512d61d5f0ba01b065b01ede6'/>
<id>4b68bf9a69d22dd512d61d5f0ba01b065b01ede6</id>
<content type='text'>
There is a risk that the fastmap anchor PEB is alternating between
just two PEBs, the current anchor and the previous anchor that was just
deleted. As the fastmap pools gets the first take on free PEBs, the
pools may leave no free PEBs to be selected as the new anchor,
resulting in the two PEBs alternating behaviour. If the anchor PEBs gets
a high erase count the PEBs will not be used by the pools but remain in
ubi-&gt;free, even more increasing the likelihood they will be used as
anchors.

Getting stuck using only a couple of PEBs continuously will result in an
uneven wear, eventually leading to failure.

To fix this:

- Choose the fastmap anchor when the most free PEBs are available. This is
  during rebuilding of the fastmap pools, after the unused pool PEBs are
  added to ubi-&gt;free but before the pools are populated again from the
  free PEBs. Also reserve an additional second best PEB as a candidate
  for the next time the fast map anchor is updated. If a better PEB is
  found the next time the fast map anchor is updated, the candidate is
  made available for building the pools.

- Enable anchor move within the anchor area again as it is useful for
  distributing wear.

- The anchor candidate for the next fastmap update is the most suited free
  PEB. Check this PEB's erase count during wear leveling. If the wear
  leveling limit is exceeded, the PEB is considered unsuitable for now. As
  all other non used anchor area PEBs should be even worse, free up the
  used anchor area PEB with the lowest erase count.

Signed-off-by: Arne Edholm &lt;arne.edholm@axis.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is a risk that the fastmap anchor PEB is alternating between
just two PEBs, the current anchor and the previous anchor that was just
deleted. As the fastmap pools gets the first take on free PEBs, the
pools may leave no free PEBs to be selected as the new anchor,
resulting in the two PEBs alternating behaviour. If the anchor PEBs gets
a high erase count the PEBs will not be used by the pools but remain in
ubi-&gt;free, even more increasing the likelihood they will be used as
anchors.

Getting stuck using only a couple of PEBs continuously will result in an
uneven wear, eventually leading to failure.

To fix this:

- Choose the fastmap anchor when the most free PEBs are available. This is
  during rebuilding of the fastmap pools, after the unused pool PEBs are
  added to ubi-&gt;free but before the pools are populated again from the
  free PEBs. Also reserve an additional second best PEB as a candidate
  for the next time the fast map anchor is updated. If a better PEB is
  found the next time the fast map anchor is updated, the candidate is
  made available for building the pools.

- Enable anchor move within the anchor area again as it is useful for
  distributing wear.

- The anchor candidate for the next fastmap update is the most suited free
  PEB. Check this PEB's erase count during wear leveling. If the wear
  leveling limit is exceeded, the PEB is considered unsuitable for now. As
  all other non used anchor area PEBs should be even worse, free up the
  used anchor area PEB with the lowest erase count.

Signed-off-by: Arne Edholm &lt;arne.edholm@axis.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: Fix an error pointer dereference in error handling code</title>
<updated>2020-01-19T22:23:28+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2020-01-13T13:23:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5d3805af279c93ef49a64701f35254676d709622'/>
<id>5d3805af279c93ef49a64701f35254676d709622</id>
<content type='text'>
If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer
and we try to kfree() it which results in an Oops.

This patch re-arranges the error handling so now it only frees things
which have been allocated successfully.

Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer
and we try to kfree() it which results in an Oops.

This patch re-arranges the error handling so now it only frees things
which have been allocated successfully.

Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: Fix inverted logic in seen selfcheck</title>
<updated>2020-01-16T22:34:50+00:00</updated>
<author>
<name>Sascha Hauer</name>
<email>s.hauer@pengutronix.de</email>
</author>
<published>2019-10-23T09:58:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045'/>
<id>ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045</id>
<content type='text'>
set_seen() sets the bit corresponding to the PEB number in the bitmap,
so when self_check_seen() wants to find PEBs that haven't been seen we
have to print the PEBs that have their bit cleared, not the ones which
have it set.

Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code")
Signed-off-by: Sascha Hauer &lt;s.hauer@pengutronix.de&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
set_seen() sets the bit corresponding to the PEB number in the bitmap,
so when self_check_seen() wants to find PEBs that haven't been seen we
have to print the PEBs that have their bit cleared, not the ones which
have it set.

Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code")
Signed-off-by: Sascha Hauer &lt;s.hauer@pengutronix.de&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: Fix producing anchor PEBs</title>
<updated>2019-11-17T21:45:57+00:00</updated>
<author>
<name>Sascha Hauer</name>
<email>s.hauer@pengutronix.de</email>
</author>
<published>2019-11-05T08:12:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f9c34bb529975fe9f85b870a80c53a83a3c5a182'/>
<id>f9c34bb529975fe9f85b870a80c53a83a3c5a182</id>
<content type='text'>
When a new fastmap is about to be written UBI must make sure it has a
free block for a fastmap anchor available. For this ubi_update_fastmap()
calls ubi_ensure_anchor_pebs(). This stopped working with 2e8f08deabbc
("ubi: Fix races around ubi_refill_pools()"), with this commit the wear
leveling code is blocked and can no longer produce free PEBs. UBI then
more often than not falls back to write the new fastmap anchor to the
same block it was already on which means the same erase block gets
erased during each fastmap write and wears out quite fast.

As the locking prevents us from producing the anchor PEB when we
actually need it, this patch changes the strategy for creating the
anchor PEB. We no longer create it on demand right before we want to
write a fastmap, but instead we create an anchor PEB right after we have
written a fastmap. This gives us enough time to produce a new anchor PEB
before it is needed. To make sure we have an anchor PEB for the very
first fastmap write we call ubi_ensure_anchor_pebs() during
initialisation as well.

Fixes: 2e8f08deabbc ("ubi: Fix races around ubi_refill_pools()")
Signed-off-by: Sascha Hauer &lt;s.hauer@pengutronix.de&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When a new fastmap is about to be written UBI must make sure it has a
free block for a fastmap anchor available. For this ubi_update_fastmap()
calls ubi_ensure_anchor_pebs(). This stopped working with 2e8f08deabbc
("ubi: Fix races around ubi_refill_pools()"), with this commit the wear
leveling code is blocked and can no longer produce free PEBs. UBI then
more often than not falls back to write the new fastmap anchor to the
same block it was already on which means the same erase block gets
erased during each fastmap write and wears out quite fast.

As the locking prevents us from producing the anchor PEB when we
actually need it, this patch changes the strategy for creating the
anchor PEB. We no longer create it on demand right before we want to
write a fastmap, but instead we create an anchor PEB right after we have
written a fastmap. This gives us enough time to produce a new anchor PEB
before it is needed. To make sure we have an anchor PEB for the very
first fastmap write we call ubi_ensure_anchor_pebs() during
initialisation as well.

Fixes: 2e8f08deabbc ("ubi: Fix races around ubi_refill_pools()")
Signed-off-by: Sascha Hauer &lt;s.hauer@pengutronix.de&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 286</title>
<updated>2019-06-05T15:36:37+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-29T14:18:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=50acfb2b76e19f73270fef9a32726c7e18d08ec3'/>
<id>50acfb2b76e19f73270fef9a32726c7e18d08ec3</id>
<content type='text'>
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation version 2 this program is distributed
  in the hope that it will be useful but without any warranty without
  even the implied warranty of merchantability or fitness for a
  particular purpose see the gnu general public license for more
  details

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 97 file(s).

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Reviewed-by: Allison Randal &lt;allison@lohutok.net&gt;
Reviewed-by: Alexios Zavras &lt;alexios.zavras@intel.com&gt;
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190529141901.025053186@linutronix.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation version 2 this program is distributed
  in the hope that it will be useful but without any warranty without
  even the implied warranty of merchantability or fitness for a
  particular purpose see the gnu general public license for more
  details

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

has been chosen to replace the boilerplate/reference in 97 file(s).

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Reviewed-by: Allison Randal &lt;allison@lohutok.net&gt;
Reviewed-by: Alexios Zavras &lt;alexios.zavras@intel.com&gt;
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190529141901.025053186@linutronix.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: Check each mapping only once</title>
<updated>2018-06-07T13:53:16+00:00</updated>
<author>
<name>Richard Weinberger</name>
<email>richard@nod.at</email>
</author>
<published>2018-05-28T20:04:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=34653fd8c46e771585fce5975e4243f8fd401914'/>
<id>34653fd8c46e771585fce5975e4243f8fd401914</id>
<content type='text'>
Maintain a bitmap to keep track of which LEB-&gt;PEB mapping
was checked already.
That way we have to read back VID headers only once.

Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Maintain a bitmap to keep track of which LEB-&gt;PEB mapping
was checked already.
That way we have to read back VID headers only once.

Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: Clean up the initialization of pointer p</title>
<updated>2018-01-17T20:48:02+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2017-10-29T13:14:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f50629df49f59b044c89f99a4bcd02cafdb38258'/>
<id>f50629df49f59b044c89f99a4bcd02cafdb38258</id>
<content type='text'>
The pointer p is being initialized with one value and a few lines
later being set to a newer replacement value. Clean up the code by
using the latter assignment to p as the initial value. Cleans up
clang warning:

drivers/mtd/ubi/fastmap.c:217:19: warning: Value stored to 'p'
during its initialization is never read

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The pointer p is being initialized with one value and a few lines
later being set to a newer replacement value. Clean up the code by
using the latter assignment to p as the initial value. Cleans up
clang warning:

drivers/mtd/ubi/fastmap.c:217:19: warning: Value stored to 'p'
during its initialization is never read

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: Use kmem_cache_free to deallocate memory</title>
<updated>2018-01-17T20:48:02+00:00</updated>
<author>
<name>Pan Bian</name>
<email>bianpan2016@163.com</email>
</author>
<published>2017-10-29T12:40:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=af7bcee27652bbf2502207500ad200763707a160'/>
<id>af7bcee27652bbf2502207500ad200763707a160</id>
<content type='text'>
Memory allocated by kmem_cache_alloc() should not be deallocated with
kfree(). Use kmem_cache_free() instead.

Signed-off-by: Pan Bian &lt;bianpan2016@163.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Memory allocated by kmem_cache_alloc() should not be deallocated with
kfree(). Use kmem_cache_free() instead.

Signed-off-by: Pan Bian &lt;bianpan2016@163.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: fix spelling mistake: "invalidiate" -&gt; "invalidate"</title>
<updated>2017-09-13T20:05:30+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2017-07-03T09:37:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d2e43d192b53cb4a9e940d809d93cd8ea21616fb'/>
<id>d2e43d192b53cb4a9e940d809d93cd8ea21616fb</id>
<content type='text'>
Trivial fix to spelling mistake in ubi_err error message

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Trivial fix to spelling mistake in ubi_err error message

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Reviewed-by: Boris Brezillon &lt;boris.brezillon@free-electrons.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ubi: fastmap: Fix slab corruption</title>
<updated>2017-05-08T18:48:33+00:00</updated>
<author>
<name>Rabin Vincent</name>
<email>rabinv@axis.com</email>
</author>
<published>2017-04-03T11:44:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8a1435880f452430b41374d27ac4a33e7bd381ea'/>
<id>8a1435880f452430b41374d27ac4a33e7bd381ea</id>
<content type='text'>
Booting with UBI fastmap and SLUB debugging enabled results in the
following splats.  The problem is that ubi_scan_fastmap() moves the
fastmap blocks from the scan_ai (allocated in scan_fast()) to the ai
allocated in ubi_attach().  This results in two problems:

 - When the scan_ai is freed, aebs which were allocated from its slab
   cache are still in use.

 - When the other ai is being destroyed in destroy_ai(), the
   arguments to kmem_cache_free() call are incorrect since aebs on its
   -&gt;fastmap list were allocated with a slab cache from a differnt ai.

Fix this by making a copy of the aebs in ubi_scan_fastmap() instead of
moving them.

 =============================================================================
 BUG ubi_aeb_slab_cache (Not tainted): Objects remaining in ubi_aeb_slab_cache on __kmem_cache_shutdown()
 -----------------------------------------------------------------------------

 INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000080
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;8026c47c&gt;] (slab_err+0x78/0x88)
 [&lt;8026c47c&gt;] (slab_err) from [&lt;802735bc&gt;] (__kmem_cache_shutdown+0x180/0x3e0)
 [&lt;802735bc&gt;] (__kmem_cache_shutdown) from [&lt;8024e13c&gt;] (shutdown_cache+0x1c/0x60)
 [&lt;8024e13c&gt;] (shutdown_cache) from [&lt;8024ed64&gt;] (kmem_cache_destroy+0x19c/0x20c)
 [&lt;8024ed64&gt;] (kmem_cache_destroy) from [&lt;8057cc14&gt;] (destroy_ai+0x1dc/0x1e8)
 [&lt;8057cc14&gt;] (destroy_ai) from [&lt;8057f04c&gt;] (ubi_attach+0x3f4/0x450)
 [&lt;8057f04c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 INFO: Object 0xb33d7e88 @offset=3720
 INFO: Allocated in scan_peb+0x608/0x81c age=72 cpu=1 pid=118
 	kmem_cache_alloc+0x3b0/0x43c
 	scan_peb+0x608/0x81c
 	ubi_attach+0x124/0x450
 	ubi_attach_mtd_dev+0x60c/0xff8
 	ctrl_cdev_ioctl+0x110/0x2b8
 	do_vfs_ioctl+0xac/0xa00
 	SyS_ioctl+0x3c/0x64
 	ret_fast_syscall+0x0/0x1c
 kmem_cache_destroy ubi_aeb_slab_cache: Slab cache still has objects
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;8024ed80&gt;] (kmem_cache_destroy+0x1b8/0x20c)
 [&lt;8024ed80&gt;] (kmem_cache_destroy) from [&lt;8057cc14&gt;] (destroy_ai+0x1dc/0x1e8)
 [&lt;8057cc14&gt;] (destroy_ai) from [&lt;8057f04c&gt;] (ubi_attach+0x3f4/0x450)
 [&lt;8057f04c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 cache_from_obj: Wrong slab cache. ubi_aeb_slab_cache but object is from ubi_aeb_slab_cache
 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 118 at mm/slab.h:354 kmem_cache_free+0x39c/0x450
 Modules linked in:
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;80120e40&gt;] (__warn+0xf4/0x10c)
 [&lt;80120e40&gt;] (__warn) from [&lt;80120f20&gt;] (warn_slowpath_null+0x28/0x30)
 [&lt;80120f20&gt;] (warn_slowpath_null) from [&lt;80271fe0&gt;] (kmem_cache_free+0x39c/0x450)
 [&lt;80271fe0&gt;] (kmem_cache_free) from [&lt;8057cb88&gt;] (destroy_ai+0x150/0x1e8)
 [&lt;8057cb88&gt;] (destroy_ai) from [&lt;8057ef1c&gt;] (ubi_attach+0x2c4/0x450)
 [&lt;8057ef1c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 ---[ end trace 2bd8396277fd0a0b ]---
 =============================================================================
 BUG ubi_aeb_slab_cache (Tainted: G    B   W      ): page slab pointer corrupt.
 -----------------------------------------------------------------------------

 INFO: Allocated in scan_peb+0x608/0x81c age=104 cpu=1 pid=118
 	kmem_cache_alloc+0x3b0/0x43c
 	scan_peb+0x608/0x81c
 	ubi_attach+0x124/0x450
 	ubi_attach_mtd_dev+0x60c/0xff8
 	ctrl_cdev_ioctl+0x110/0x2b8
 	do_vfs_ioctl+0xac/0xa00
 	SyS_ioctl+0x3c/0x64
 	ret_fast_syscall+0x0/0x1c
 INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000081
 INFO: Object 0xb33d7e88 @offset=3720 fp=0xb33d7da0

 Redzone b33d7e80: cc cc cc cc cc cc cc cc                          ........
 Object b33d7e88: 02 00 00 00 01 00 00 00 00 f0 ff 7f ff ff ff ff  ................
 Object b33d7e98: 00 00 00 00 00 00 00 00 bd 16 00 00 00 00 00 00  ................
 Object b33d7ea8: 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00  ................
 Redzone b33d7eb8: cc cc cc cc                                      ....
 Padding b33d7f60: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B   W       4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;80271770&gt;] (free_debug_processing+0x320/0x3c4)
 [&lt;80271770&gt;] (free_debug_processing) from [&lt;80271ad0&gt;] (__slab_free+0x2bc/0x430)
 [&lt;80271ad0&gt;] (__slab_free) from [&lt;80272024&gt;] (kmem_cache_free+0x3e0/0x450)
 [&lt;80272024&gt;] (kmem_cache_free) from [&lt;8057cb88&gt;] (destroy_ai+0x150/0x1e8)
 [&lt;8057cb88&gt;] (destroy_ai) from [&lt;8057ef1c&gt;] (ubi_attach+0x2c4/0x450)
 [&lt;8057ef1c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 FIX ubi_aeb_slab_cache: Object at 0xb33d7e88 not freed

Signed-off-by: Rabin Vincent &lt;rabinv@axis.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Booting with UBI fastmap and SLUB debugging enabled results in the
following splats.  The problem is that ubi_scan_fastmap() moves the
fastmap blocks from the scan_ai (allocated in scan_fast()) to the ai
allocated in ubi_attach().  This results in two problems:

 - When the scan_ai is freed, aebs which were allocated from its slab
   cache are still in use.

 - When the other ai is being destroyed in destroy_ai(), the
   arguments to kmem_cache_free() call are incorrect since aebs on its
   -&gt;fastmap list were allocated with a slab cache from a differnt ai.

Fix this by making a copy of the aebs in ubi_scan_fastmap() instead of
moving them.

 =============================================================================
 BUG ubi_aeb_slab_cache (Not tainted): Objects remaining in ubi_aeb_slab_cache on __kmem_cache_shutdown()
 -----------------------------------------------------------------------------

 INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000080
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;8026c47c&gt;] (slab_err+0x78/0x88)
 [&lt;8026c47c&gt;] (slab_err) from [&lt;802735bc&gt;] (__kmem_cache_shutdown+0x180/0x3e0)
 [&lt;802735bc&gt;] (__kmem_cache_shutdown) from [&lt;8024e13c&gt;] (shutdown_cache+0x1c/0x60)
 [&lt;8024e13c&gt;] (shutdown_cache) from [&lt;8024ed64&gt;] (kmem_cache_destroy+0x19c/0x20c)
 [&lt;8024ed64&gt;] (kmem_cache_destroy) from [&lt;8057cc14&gt;] (destroy_ai+0x1dc/0x1e8)
 [&lt;8057cc14&gt;] (destroy_ai) from [&lt;8057f04c&gt;] (ubi_attach+0x3f4/0x450)
 [&lt;8057f04c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 INFO: Object 0xb33d7e88 @offset=3720
 INFO: Allocated in scan_peb+0x608/0x81c age=72 cpu=1 pid=118
 	kmem_cache_alloc+0x3b0/0x43c
 	scan_peb+0x608/0x81c
 	ubi_attach+0x124/0x450
 	ubi_attach_mtd_dev+0x60c/0xff8
 	ctrl_cdev_ioctl+0x110/0x2b8
 	do_vfs_ioctl+0xac/0xa00
 	SyS_ioctl+0x3c/0x64
 	ret_fast_syscall+0x0/0x1c
 kmem_cache_destroy ubi_aeb_slab_cache: Slab cache still has objects
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;8024ed80&gt;] (kmem_cache_destroy+0x1b8/0x20c)
 [&lt;8024ed80&gt;] (kmem_cache_destroy) from [&lt;8057cc14&gt;] (destroy_ai+0x1dc/0x1e8)
 [&lt;8057cc14&gt;] (destroy_ai) from [&lt;8057f04c&gt;] (ubi_attach+0x3f4/0x450)
 [&lt;8057f04c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 cache_from_obj: Wrong slab cache. ubi_aeb_slab_cache but object is from ubi_aeb_slab_cache
 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 118 at mm/slab.h:354 kmem_cache_free+0x39c/0x450
 Modules linked in:
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B           4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;80120e40&gt;] (__warn+0xf4/0x10c)
 [&lt;80120e40&gt;] (__warn) from [&lt;80120f20&gt;] (warn_slowpath_null+0x28/0x30)
 [&lt;80120f20&gt;] (warn_slowpath_null) from [&lt;80271fe0&gt;] (kmem_cache_free+0x39c/0x450)
 [&lt;80271fe0&gt;] (kmem_cache_free) from [&lt;8057cb88&gt;] (destroy_ai+0x150/0x1e8)
 [&lt;8057cb88&gt;] (destroy_ai) from [&lt;8057ef1c&gt;] (ubi_attach+0x2c4/0x450)
 [&lt;8057ef1c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 ---[ end trace 2bd8396277fd0a0b ]---
 =============================================================================
 BUG ubi_aeb_slab_cache (Tainted: G    B   W      ): page slab pointer corrupt.
 -----------------------------------------------------------------------------

 INFO: Allocated in scan_peb+0x608/0x81c age=104 cpu=1 pid=118
 	kmem_cache_alloc+0x3b0/0x43c
 	scan_peb+0x608/0x81c
 	ubi_attach+0x124/0x450
 	ubi_attach_mtd_dev+0x60c/0xff8
 	ctrl_cdev_ioctl+0x110/0x2b8
 	do_vfs_ioctl+0xac/0xa00
 	SyS_ioctl+0x3c/0x64
 	ret_fast_syscall+0x0/0x1c
 INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000081
 INFO: Object 0xb33d7e88 @offset=3720 fp=0xb33d7da0

 Redzone b33d7e80: cc cc cc cc cc cc cc cc                          ........
 Object b33d7e88: 02 00 00 00 01 00 00 00 00 f0 ff 7f ff ff ff ff  ................
 Object b33d7e98: 00 00 00 00 00 00 00 00 bd 16 00 00 00 00 00 00  ................
 Object b33d7ea8: 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00  ................
 Redzone b33d7eb8: cc cc cc cc                                      ....
 Padding b33d7f60: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
 CPU: 1 PID: 118 Comm: ubiattach Tainted: G    B   W       4.9.15 #3
 [&lt;80111910&gt;] (unwind_backtrace) from [&lt;8010d498&gt;] (show_stack+0x18/0x1c)
 [&lt;8010d498&gt;] (show_stack) from [&lt;804a3274&gt;] (dump_stack+0xb4/0xe0)
 [&lt;804a3274&gt;] (dump_stack) from [&lt;80271770&gt;] (free_debug_processing+0x320/0x3c4)
 [&lt;80271770&gt;] (free_debug_processing) from [&lt;80271ad0&gt;] (__slab_free+0x2bc/0x430)
 [&lt;80271ad0&gt;] (__slab_free) from [&lt;80272024&gt;] (kmem_cache_free+0x3e0/0x450)
 [&lt;80272024&gt;] (kmem_cache_free) from [&lt;8057cb88&gt;] (destroy_ai+0x150/0x1e8)
 [&lt;8057cb88&gt;] (destroy_ai) from [&lt;8057ef1c&gt;] (ubi_attach+0x2c4/0x450)
 [&lt;8057ef1c&gt;] (ubi_attach) from [&lt;8056fe70&gt;] (ubi_attach_mtd_dev+0x60c/0xff8)
 [&lt;8056fe70&gt;] (ubi_attach_mtd_dev) from [&lt;80571d78&gt;] (ctrl_cdev_ioctl+0x110/0x2b8)
 [&lt;80571d78&gt;] (ctrl_cdev_ioctl) from [&lt;8029c77c&gt;] (do_vfs_ioctl+0xac/0xa00)
 [&lt;8029c77c&gt;] (do_vfs_ioctl) from [&lt;8029d10c&gt;] (SyS_ioctl+0x3c/0x64)
 [&lt;8029d10c&gt;] (SyS_ioctl) from [&lt;80108860&gt;] (ret_fast_syscall+0x0/0x1c)
 FIX ubi_aeb_slab_cache: Object at 0xb33d7e88 not freed

Signed-off-by: Rabin Vincent &lt;rabinv@axis.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
</pre>
</div>
</content>
</entry>
</feed>
