• Adam Thomas's avatar
    UBIFS: fix use of freed ubifs_orphan objects · 2928f0d0
    Adam Thomas authored
    The last orphan in the cnext list has its cnext set to NULL. Because
    of that, ubifs_delete_orphan assumes that it is not on the cnext list
    and frees it immediately instead of adding it to the dnext list. The
    freed orphan is later modified by write_orph_node.
    
    This can cause various inconsistencies including directory entries
    that cannot be removed and this error:
    
    UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1
    
    This is a regression introduced by
    "7074e5eb UBIFS: remove invalid reference to list iterator variable".
    
    This change adds an explicit flag to ubifs_orphan indicating whether
    it is pending commit.
    Signed-off-by: default avatarAdam Thomas <adamthomas1111@gmail.com>
    Reviewed-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
    Cc: stable@vger.kernel.org # v3.6+
    Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
    2928f0d0
orphan.c 24.9 KB