UBIFS: fix double free of ubifs_orphan objects commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream. The last orphan in the dnext list has its dnext set to NULL. Because of that, ubifs_delete_orphan assumes that it is not on the dnext list and frees it immediately instead ignoring it as a second delete. The orphan is later freed again by erase_deleted. This change adds an explicit flag to ubifs_orphan indicating whether it is pending delete. Signed-off-by: Adam Thomas <adamthomas1111@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Rui Xiang <rui.xiang@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 8a4188e2d84ab2ec720f29ede1799a6882969857 [log] [tgz]
author: Adam Thomas <adamthomas1111@gmail.com> Sat Feb 02 22:35:08 2013 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Tue Mar 11 16:10:05 2014 -0700
tree: 5eeabcf01e6872d2eca29c0de4aa7d4ac3e6ba44
parent: ebdc12a0b5ed501c23b52b1ab5d28aea681badcd [diff] [blame]
diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
index 4971cb2..3f96261 100644
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h

@@ -905,6 +905,7 @@
  * @dnext: next orphan to delete
  * @inum: inode number
  * @new: %1 => added since the last commit, otherwise %0
+ * @del: %1 => delete pending, otherwise %0
  */
 struct ubifs_orphan {
 	struct rb_node rb;
@@ -914,6 +915,7 @@
 	struct ubifs_orphan *dnext;
 	ino_t inum;
 	int new;
+	unsigned del:1;
 };
 
 /**
commit	8a4188e2d84ab2ec720f29ede1799a6882969857	[log] [tgz]
author	Adam Thomas <adamthomas1111@gmail.com>	Sat Feb 02 22:35:08 2013 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Tue Mar 11 16:10:05 2014 -0700
tree	5eeabcf01e6872d2eca29c0de4aa7d4ac3e6ba44
parent	ebdc12a0b5ed501c23b52b1ab5d28aea681badcd [diff] [blame]