UBIFS: fix use of freed ubifs_orphan objects

The last orphan in the cnext list has its cnext set to NULL. Because of that, ubifs_delete_orphan assumes that it is not on the cnext list and frees it immediately instead of adding it to the dnext list. The freed orphan is later modified by write_orph_node. This can cause various inconsistencies including directory entries that cannot be removed and this error: UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1 This is a regression introduced by "7074e5eb UBIFS: remove invalid reference to list iterator variable". This change adds an explicit flag to ubifs_orphan indicating whether it is pending commit. Signed-off-by: Adam Thomas <adamthomas1111@gmail.com> Reviewed-by: Adrian Hunter <adrian.hunter@intel.com> Cc: stable@vger.kernel.org # v3.6+ Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
author: Adam Thomas <adamthomas1111@gmail.com> 2013-02-02 17:32:31 -0500
committer: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> 2013-02-04 05:31:00 -0500
commit: 2928f0d0c5ebd6c9605c0d98207a44376387c298 (patch)
tree: e15d676a7c9f493853c0fbbab1ed2e71cf5fc0c6
parent: 3d251a5b9e2f09edcf25bbffe1fa308d0f648bf1 (diff)
2 files changed, 9 insertions, 2 deletions
diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c
index 769701ccb5c9..8534d9c6492f 100644
--- a/fs/ubifs/orphan.c
+++ b/fs/ubifs/orphan.c
@@ -132,7 +132,7 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
                                        (unsigned long)inum);
                                return;
                        }
-                        if (o->cnext) {
+                        if (o->cmt) {
                                o->dnext = c->orph_dnext;
                                c->orph_dnext = o;
                                spin_unlock(&c->orphan_lock);
@@ -172,7 +172,9 @@ int ubifs_orphan_start_commit(struct ubifs_info *c)
        last = &c->orph_cnext;
        list_for_each_entry(orphan, &c->orph_new, new_list) {
                ubifs_assert(orphan->new);
+                ubifs_assert(!orphan->cmt);
                orphan->new = 0;
+                orphan->cmt = 1;
                *last = orphan;
                last = &orphan->cnext;
        }
@@ -299,7 +301,9 @@ static int write_orph_node(struct ubifs_info *c, int atomic)
        cnext = c->orph_cnext;
        for (i = 0; i < cnt; i++) {
                orphan = cnext;
+                ubifs_assert(orphan->cmt);
                orph->inos[i] = cpu_to_le64(orphan->inum);
+                orphan->cmt = 0;
                cnext = orphan->cnext;
                orphan->cnext = NULL;
        }
@@ -378,6 +382,7 @@ static int consolidate(struct ubifs_info *c)
                list_for_each_entry(orphan, &c->orph_list, list) {
                        if (orphan->new)
                                continue;
+                        orphan->cmt = 1;
                        *last = orphan;
                        last = &orphan->cnext;
                        cnt += 1;
diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
index d133c276fe05..c16fff7271d3 100644
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h
@@ -904,6 +904,7 @@ struct ubifs_budget_req {
 * @dnext: next orphan to delete
 * @inum: inode number
 * @new: %1 => added since the last commit, otherwise %0
+ * @cmt: %1 => commit pending, otherwise %0
 */
 struct ubifs_orphan {
        struct rb_node rb;
@@ -912,7 +913,8 @@ struct ubifs_orphan {
        struct ubifs_orphan *cnext;
        struct ubifs_orphan *dnext;
        ino_t inum;
-        int new;
+        unsigned new:1;
+        unsigned cmt:1;
 };
 /**
author	Adam Thomas <adamthomas1111@gmail.com>	2013-02-02 17:32:31 -0500
committer	Artem Bityutskiy <artem.bityutskiy@linux.intel.com>	2013-02-04 05:31:00 -0500
commit	2928f0d0c5ebd6c9605c0d98207a44376387c298 (patch)
tree	e15d676a7c9f493853c0fbbab1ed2e71cf5fc0c6
parent	3d251a5b9e2f09edcf25bbffe1fa308d0f648bf1 (diff)