Re: [bug report] ubifs: Don't leak orphans on memory during commit

[Richard Weinberger <richard@xxxxxx>]

Dan,

----- Ursprüngliche Mail -----
> Von: "Dan Carpenter" <dan.carpenter@xxxxxxxxxx>
> An: "richard" <richard@xxxxxx>
> CC: "linux-mtd" <linux-mtd@xxxxxxxxxxxxxxxxxxx>
> Gesendet: Dienstag, 21. Mai 2019 09:09:37
> Betreff: [bug report] ubifs: Don't leak orphans on memory during commit

> Hello Richard Weinberger,
> 
> The patch c16e73587ad6: "ubifs: Don't leak orphans on memory during
> commit" from May 15, 2019, leads to the following static checker
> warning:
> 
>	fs/ubifs/orphan.c:231 ubifs_delete_orphan()
>	warn: 'orph' was already freed.
> 
> fs/ubifs/orphan.c
>   214  void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
>   215  {
>   216          struct ubifs_orphan *orph, *child_orph, *tmp_o;
>   217
>   218          spin_lock(&c->orphan_lock);
>   219
>   220          orph = lookup_orphan(c, inum);
>   221          if (!orph) {
>   222                  spin_unlock(&c->orphan_lock);
>   223                  ubifs_err(c, "missing orphan ino %lu", (unsigned
>   long)inum);
>   224                  dump_stack();
>   225
>   226                  return;
>   227          }
>   228
>   229          orphan_delete(c, orph);
>                                 ^^^^
> The "orph" pointer is sometimes free in orphan_delete().
> 
>   230
>   231          list_for_each_entry_safe(child_orph, tmp_o, &orph->child_list,
>   child_list) {
>                                                             ^^^^
> use after free?
> 
>   232                  list_del(&child_orph->child_list);
>   233                  orphan_delete(c, child_orph);
>   234          }
>   235
>   236          spin_unlock(&c->orphan_lock);
>   237  }

Thanks a lot for the heads up.
This commit is not ready yet and will be replaced with a newer version.

Thanks,
//richard

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/