RTEMS | Flashdev JFFS2 double free of mount_data and instance (#5381)
Aaron Nyholm (@eagleirony)
gitlab at rtems.org
Tue Oct 28 03:17:55 UTC 2025
Aaron Nyholm created an issue: https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5381
## Summary
In 7da577f in `jffs2_flashdev.c` when mount fails both `mount_data` and `instance` are freed if the mount fails. This is an unnecessary free which leads to a double free as in `jffs2/src/fs-rtems.c` when the mount fails the destroy handler is called `fs-rtems.c:1493 -> rtems_jffs2_free_fs_info -> rtems_jffs2_flash_control_destroy`.
```<5>JFFS2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008e0024: 0x9fa6 instead
<5>JFFS2: Further such events for this erase block will not be printed
<5>JFFS2: Cowardly refusing to erase blocks on filesystem with no valid JFFS2 nodes
<5>JFFS2: empty_blocks 17, bad_blocks 0, c->nr_blocks 159
<5>JFFS2: nr_erasing_blocks 159, used 0x0, dirty 0x8cd520, wasted 0x0, free 0x122ae0, erasing 0x0, bad 0x0, obsolete
0x460, unchecked 0x0
*** FATAL ***
fatal source: 12 (RTEMS_FATAL_SOURCE_INVALID_HEAP_FREE)
CPU: 0
fatal code: 80382272 (0x04ca8940)
RTEMS version: 7.0.0.de8da59ba1d756822acf44d838707e2b368b8b2c
RTEMS tools: 15.2.0 20250808 (RTEMS 7, RSB 63785b8c2717fe5f174ed0fa9c2abdde2a0ec2be, Newlib 038afec1)
executing thread ID: 0x0a010002
executing thread name: UI1```
## Steps to reproduce
Mount an fully corrupted JFFS2 partition on a flashdev using `jffs2_flashdev_mount`
This issue is present in `main` and `6`.
/milestone %7.1
--
View it on GitLab: https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5381
You're receiving this email because of your account on gitlab.rtems.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/bugs/attachments/20251028/32db9759/attachment.htm>
More information about the bugs
mailing list