Double free error with ubi_volume_desc/ubi_close_volume

[Nieuwenhuizen Felix (ETAS-DAP/XPC-Fe8)]

Hi all,

I seem to be running into a double free error with ubi_volume_desc/ubi_close_volume during a ubifsmount/ubifsload/ubifsumount sequence.

This is the sequence that I'm seeing:

ubifsmount
- do_ubifs_mount
  - cmd_ubifs_mount
    - uboot_ubifs_mount
      - ubifs_mount
        - open_ubi
          - ubi_open_volume -> returns ubi_volume_desc #1
          - open_ubi returns ubi_volume_desc #1
        - ubi_volume_desc #1 stored in local ubi variable
        - ubifs_fill_super
            - ubi_open_volume returns ubi_volume_desc #2
            - ubi_volume_desc #2 stored in sb->s_fs_info->ubi
        - ubi_close_volume(ubi) i.e. ubi_close_volume(ubi_volume_desc #1)
          - kfree(ubi_volume_desc #1)
        - sb stored in global ubifs_sb (including ubi_volume_desc #2)

ubifsload
- do_ubifs_load
  - ubifs_load
    - ubifs_read
      - ubi_open_volume -> returns ubi_volume_desc #3
      - ubi_volume_desc #3 stored in ubifs_sb->s_fs_info->ubi (this overwrites ubi_volume_desc #2!)
      - ubi_close_volume(ubifs_sb->s_fs_info->ubi) i.e. ubi_close_volume(ubi_volume_desc #3)
        - kfree(ubi_volume_desc #3)

ubifsumount
- do_ubifs_umount
  - cmd_ubifs_umount
    - uboot_ubifs_umount
      - ubifs_umount(ubifs_sb->s_fs_info)
        - ubi_close_volume(ubifs_sb->s_fs_info->ubi) i.e. ubi_close_volume(ubi_volume_desc #3)
          - kfree(ubi_volume_desc #3)
          - this is a double free error, ubi_volume_desc #2 should be closed instead (but the reference has been lost)!

The issue seems to be that ubifs_read overwrites the ubi_volume_desc that's stored in the superblock, and thus ubi_volume_desc #2 is never freed, while ubi_volume_desc #3 is freed twice.

I'm not sure what the correct behaviour should be:
- should the volume be closed at the end of ubifs_mount, or stay open until ubifs_umount?
- should ubifs_read not open the volume if it is already open?

Thanks in advance!

Regards,
Felix