From: Heiko Schocher <hs@denx.de>
Date: Thu, 21 Apr 2016 10:16:58 +0000 (+0200)
Subject: ubifs: fix memory corruption in super.c
X-Git-Tag: v2025.01-rc5-pxa1908~9560^2
X-Git-Url: http://git.dujemihanovic.xyz/img/html/static/git-favicon.png?a=commitdiff_plain;h=b1d6590d357bde2332cb699e2fd2efc7a7c64f38;p=u-boot.git

ubifs: fix memory corruption in super.c

In list "super_blocks" ubifs collects allocated super_block
structs. U-Boot frees on unmount the allocated struct,
so the pointer stored in this list is free after the umount.
On a new ubifs mount, the new allocated super_block struct
get inserted into the super_blocks list ... which contains
now a freed pointer, and the list_add_tail() corrupts the
freed memory ...

2 solutions are possible:
- remove the super_block from the super_blocks list
  on umount

- as U-Boot does not use the super_blocks list ...
  remove it complete for U-Boot.

Both solutions should not introduce problems for porting
to newer linux version, so this patch removes the unused
super_blocks list, as it saves code size and execution
time.

Signed-off-by: Heiko Schocher <hs@denx.de>
---

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index dcf3a47947..effa8d933f 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -48,7 +48,6 @@ struct vfsmount;
 #define INODE_LOCKED_MAX	64
 
 struct super_block *ubifs_sb;
-LIST_HEAD(super_blocks);
 
 static struct inode *inodes_locked_down[INODE_LOCKED_MAX];
 
@@ -2425,10 +2424,10 @@ retry:
 	s->s_type = type;
 #ifndef __UBOOT__
 	strlcpy(s->s_id, type->name, sizeof(s->s_id));
+	list_add_tail(&s->s_list, &super_blocks);
 #else
 	strncpy(s->s_id, type->name, sizeof(s->s_id));
 #endif
-	list_add_tail(&s->s_list, &super_blocks);
 	hlist_add_head(&s->s_instances, &type->fs_supers);
 #ifndef __UBOOT__
 	spin_unlock(&sb_lock);