mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
UBIFS: fix double free of ubifs_orphan objects
commit 8afd500cb5 upstream.
The last orphan in the dnext list has its dnext set to NULL. Because
of that, ubifs_delete_orphan assumes that it is not on the dnext list
and frees it immediately instead ignoring it as a second delete. The
orphan is later freed again by erase_deleted.
This change adds an explicit flag to ubifs_orphan indicating whether
it is pending delete.
Signed-off-by: Adam Thomas <adamthomas1111@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Rui Xiang <rui.xiang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Adam Thomas
Greg Kroah-Hartman
parent
ebdc12a0b5
commit
8a4188e2d8
2 changed files with 6 additions and 1 deletions
|
|
@ -130,13 +130,14 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
|
|||
else if (inum > o->inum)
|
||||
p = p->rb_right;
|
||||
else {
|
||||
if (o->dnext) {
|
||||
if (o->del) {
|
||||
spin_unlock(&c->orphan_lock);
|
||||
dbg_gen("deleted twice ino %lu",
|
||||
(unsigned long)inum);
|
||||
return;
|
||||
}
|
||||
if (o->cnext) {
|
||||
o->del = 1;
|
||||
o->dnext = c->orph_dnext;
|
||||
c->orph_dnext = o;
|
||||
spin_unlock(&c->orphan_lock);
|
||||
|
|
@ -447,6 +448,7 @@ static void erase_deleted(struct ubifs_info *c)
|
|||
orphan = dnext;
|
||||
dnext = orphan->dnext;
|
||||
ubifs_assert(!orphan->new);
|
||||
ubifs_assert(orphan->del);
|
||||
rb_erase(&orphan->rb, &c->orph_tree);
|
||||
list_del(&orphan->list);
|
||||
c->tot_orphans -= 1;
|
||||
|
|
@ -536,6 +538,7 @@ static int insert_dead_orphan(struct ubifs_info *c, ino_t inum)
|
|||
rb_link_node(&orphan->rb, parent, p);
|
||||
rb_insert_color(&orphan->rb, &c->orph_tree);
|
||||
list_add_tail(&orphan->list, &c->orph_list);
|
||||
orphan->del = 1;
|
||||
orphan->dnext = c->orph_dnext;
|
||||
c->orph_dnext = orphan;
|
||||
dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum,
|
||||
|
|
|
|||
|
|
@ -905,6 +905,7 @@ struct ubifs_budget_req {
|
|||
* @dnext: next orphan to delete
|
||||
* @inum: inode number
|
||||
* @new: %1 => added since the last commit, otherwise %0
|
||||
* @del: %1 => delete pending, otherwise %0
|
||||
*/
|
||||
struct ubifs_orphan {
|
||||
struct rb_node rb;
|
||||
|
|
@ -914,6 +915,7 @@ struct ubifs_orphan {
|
|||
struct ubifs_orphan *dnext;
|
||||
ino_t inum;
|
||||
int new;
|
||||
unsigned del:1;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in a new issue