Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

UBIFS: fix double free of ubifs_orphan objects

Browse source 
commit 8afd500cb5 upstream.

The last orphan in the dnext list has its dnext set to NULL. Because
of that, ubifs_delete_orphan assumes that it is not on the dnext list
and frees it immediately instead ignoring it as a second delete. The
orphan is later freed again by erase_deleted.

This change adds an explicit flag to ubifs_orphan indicating whether
it is pending delete.

Signed-off-by: Adam Thomas <adamthomas1111@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Rui Xiang <rui.xiang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Adam Thomas 2013-02-02 22:35:08 +00:00 committed by Greg Kroah-Hartman
parent ebdc12a0b5
commit 8a4188e2d8
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
fs/ubifs/orphan.c
View file

@ -130,13 +130,14 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
else if (inum > o->inum) else if (inum > o->inum)
p = p->rb_right; p = p->rb_right;
else { else {
if (o->dnext) { if (o->del) {
spin_unlock(&c->orphan_lock); spin_unlock(&c->orphan_lock);
dbg_gen("deleted twice ino %lu", dbg_gen("deleted twice ino %lu",
(unsigned long)inum); (unsigned long)inum);
return; return;
} }
if (o->cnext) { if (o->cnext) {
o->del = 1;
o->dnext = c->orph_dnext; o->dnext = c->orph_dnext;
c->orph_dnext = o; c->orph_dnext = o;
spin_unlock(&c->orphan_lock); spin_unlock(&c->orphan_lock);
@ -447,6 +448,7 @@ static void erase_deleted(struct ubifs_info *c)
orphan = dnext; orphan = dnext;
dnext = orphan->dnext; dnext = orphan->dnext;
ubifs_assert(!orphan->new); ubifs_assert(!orphan->new);
ubifs_assert(orphan->del);
rb_erase(&orphan->rb, &c->orph_tree); rb_erase(&orphan->rb, &c->orph_tree);
list_del(&orphan->list); list_del(&orphan->list);
c->tot_orphans -= 1; c->tot_orphans -= 1;
@ -536,6 +538,7 @@ static int insert_dead_orphan(struct ubifs_info *c, ino_t inum)
rb_link_node(&orphan->rb, parent, p); rb_link_node(&orphan->rb, parent, p);
rb_insert_color(&orphan->rb, &c->orph_tree); rb_insert_color(&orphan->rb, &c->orph_tree);
list_add_tail(&orphan->list, &c->orph_list); list_add_tail(&orphan->list, &c->orph_list);
orphan->del = 1;
orphan->dnext = c->orph_dnext; orphan->dnext = c->orph_dnext;
c->orph_dnext = orphan; c->orph_dnext = orphan;
dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum, dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum,

2
fs/ubifs/ubifs.h
View file

@ -905,6 +905,7 @@ struct ubifs_budget_req {
* @dnext: next orphan to delete * @dnext: next orphan to delete
* @inum: inode number * @inum: inode number
* @new: %1 => added since the last commit, otherwise %0 * @new: %1 => added since the last commit, otherwise %0
* @del: %1 => delete pending, otherwise %0
*/ */
struct ubifs_orphan { struct ubifs_orphan {
struct rb_node rb; struct rb_node rb;
@ -914,6 +915,7 @@ struct ubifs_orphan {
struct ubifs_orphan *dnext; struct ubifs_orphan *dnext;
ino_t inum; ino_t inum;
int new; int new;
unsigned del:1;
}; };
/** /**