Re: [PATCH 2/2] UBIFS: fix double free of ubifs_orphan objects

[Adrian Hunter <adrian.hunter@intel.com>]

On 28/01/13 03:28, Adam Thomas wrote:
> The last orphan in the dnext list has its dnext set to NULL. Because
> of that, ubifs_delete_orphan assumes that it is not on the dnext list
> and frees it immediately instead ignoring it as a second delete. The
> orphan is later freed again by erase_deleted.

In fact, unless something has gone wrong, an inode is only ever deleted once.

> 
> This change adds an explicit flag to ubifs_orphan indicating whether
> it is pending delete.

Needs an signed-off line.

Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>

> ---
>  fs/ubifs/orphan.c |    5 ++++-
>  fs/ubifs/ubifs.h  |    2 ++
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c
> index 8433f53..071d607 100644
> --- a/fs/ubifs/orphan.c
> +++ b/fs/ubifs/orphan.c
> @@ -126,13 +126,14 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
>  		else if (inum > o->inum)
>  			p = p->rb_right;
>  		else {
> -			if (o->dnext) {
> +			if (o->del) {
>  				spin_unlock(&c->orphan_lock);
>  				dbg_gen("deleted twice ino %lu",
>  					(unsigned long)inum);
>  				return;
>  			}
>  			if (o->cmt) {
> +				o->del = 1;
>  				o->dnext = c->orph_dnext;
>  				c->orph_dnext = o;
>  				spin_unlock(&c->orphan_lock);
> @@ -446,6 +447,7 @@ static void erase_deleted(struct ubifs_info *c)
>  		orphan = dnext;
>  		dnext = orphan->dnext;
>  		ubifs_assert(!orphan->new);
> +		ubifs_assert(orphan->del);
>  		rb_erase(&orphan->rb, &c->orph_tree);
>  		list_del(&orphan->list);
>  		c->tot_orphans -= 1;
> @@ -535,6 +537,7 @@ static int insert_dead_orphan(struct ubifs_info *c, ino_t inum)
>  	rb_link_node(&orphan->rb, parent, p);
>  	rb_insert_color(&orphan->rb, &c->orph_tree);
>  	list_add_tail(&orphan->list, &c->orph_list);
> +	orphan->del = 1;
>  	orphan->dnext = c->orph_dnext;
>  	c->orph_dnext = orphan;
>  	dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum,
> diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
> index c16fff7..b2babce 100644
> --- a/fs/ubifs/ubifs.h
> +++ b/fs/ubifs/ubifs.h
> @@ -905,6 +905,7 @@ struct ubifs_budget_req {
>   * @inum: inode number
>   * @new: %1 => added since the last commit, otherwise %0
>   * @cmt: %1 => commit pending, otherwise %0
> + * @del: %1 => delete pending, otherwise %0
>   */
>  struct ubifs_orphan {
>  	struct rb_node rb;
> @@ -915,6 +916,7 @@ struct ubifs_orphan {
>  	ino_t inum;
>  	unsigned new:1;
>  	unsigned cmt:1;
> +	unsigned del:1;
>  };
>  
>  /**
>