From patchwork Thu Apr 21 10:16:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Schocher X-Patchwork-Id: 613041 X-Patchwork-Delegate: hs@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 3qrF6Z3n9cz9t3Z for ; Thu, 21 Apr 2016 20:17:10 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 25537A7678; Thu, 21 Apr 2016 12:17:08 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UV8H0a2lGG5u; Thu, 21 Apr 2016 12:17:07 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 93669A764F; Thu, 21 Apr 2016 12:17:07 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id EC346A764F for ; Thu, 21 Apr 2016 12:17:04 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pllkT9rmcUdF for ; Thu, 21 Apr 2016 12:17:04 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from pollux.denx.de (host-82-135-33-74.customer.m-online.net [82.135.33.74]) by theia.denx.de (Postfix) with ESMTP id B4B33A7612 for ; Thu, 21 Apr 2016 12:17:00 +0200 (CEST) Received: by pollux.denx.de (Postfix, from userid 515) id A5A711CDA; Thu, 21 Apr 2016 12:17:00 +0200 (CEST) From: Heiko Schocher To: U-Boot Mailing List Date: Thu, 21 Apr 2016 12:16:58 +0200 Message-Id: <1461233818-4414-1-git-send-email-hs@denx.de> X-Mailer: git-send-email 2.5.0 Cc: Fabio Estevam , Kyungmin Park , Marcel Ziswiler Subject: [U-Boot] [PATCH] ubifs: fix memory corruption in super.c X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" In list "super_blocks" ubifs collects allocated super_block structs. U-Boot frees on unmount the allocated struct, so the pointer stored in this list is free after the umount. On a new ubifs mount, the new allocated super_block struct get inserted into the super_blocks list ... which contains now a freed pointer, and the list_add_tail() corrupts the freed memory ... 2 solutions are possible: - remove the super_block from the super_blocks list on umount - as U-Boot does not use the super_blocks list ... remove it complete for U-Boot. Both solutions should not introduce problems for porting to newer linux version, so this patch removes the unused super_blocks list, as it saves code size and execution time. Signed-off-by: Heiko Schocher --- pollux:u-boot hs [work] $ ./tools/buildman/buildman arm -s boards.cfg is up to date. Nothing to do. Summary of current source for 546 boards (8 threads, 1 job per thread) (no errors to report) pollux:u-boot hs [work] $ fs/ubifs/super.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index dcf3a47..effa8d9 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -48,7 +48,6 @@ struct vfsmount; #define INODE_LOCKED_MAX 64 struct super_block *ubifs_sb; -LIST_HEAD(super_blocks); static struct inode *inodes_locked_down[INODE_LOCKED_MAX]; @@ -2425,10 +2424,10 @@ retry: s->s_type = type; #ifndef __UBOOT__ strlcpy(s->s_id, type->name, sizeof(s->s_id)); + list_add_tail(&s->s_list, &super_blocks); #else strncpy(s->s_id, type->name, sizeof(s->s_id)); #endif - list_add_tail(&s->s_list, &super_blocks); hlist_add_head(&s->s_instances, &type->fs_supers); #ifndef __UBOOT__ spin_unlock(&sb_lock);