summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorHeiko Schocher <hs@denx.de>2016-04-21 12:16:58 +0200
committerHeiko Schocher <hs@denx.de>2016-04-22 11:48:17 +0200
commitb1d6590d357bde2332cb699e2fd2efc7a7c64f38 (patch)
treed89dec92ed7ba1ce5c3ece8fb12f7298d44f927c /fs
parent68fc449033732e7eb2aa022f9ef1b292f6871b8c (diff)
downloadu-boot-imx-b1d6590d357bde2332cb699e2fd2efc7a7c64f38.zip
u-boot-imx-b1d6590d357bde2332cb699e2fd2efc7a7c64f38.tar.gz
u-boot-imx-b1d6590d357bde2332cb699e2fd2efc7a7c64f38.tar.bz2
ubifs: fix memory corruption in super.c
In list "super_blocks" ubifs collects allocated super_block structs. U-Boot frees on unmount the allocated struct, so the pointer stored in this list is free after the umount. On a new ubifs mount, the new allocated super_block struct get inserted into the super_blocks list ... which contains now a freed pointer, and the list_add_tail() corrupts the freed memory ... 2 solutions are possible: - remove the super_block from the super_blocks list on umount - as U-Boot does not use the super_blocks list ... remove it complete for U-Boot. Both solutions should not introduce problems for porting to newer linux version, so this patch removes the unused super_blocks list, as it saves code size and execution time. Signed-off-by: Heiko Schocher <hs@denx.de>
Diffstat (limited to 'fs')
-rw-r--r--fs/ubifs/super.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index dcf3a47..effa8d9 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -48,7 +48,6 @@ struct vfsmount;
#define INODE_LOCKED_MAX 64
struct super_block *ubifs_sb;
-LIST_HEAD(super_blocks);
static struct inode *inodes_locked_down[INODE_LOCKED_MAX];
@@ -2425,10 +2424,10 @@ retry:
s->s_type = type;
#ifndef __UBOOT__
strlcpy(s->s_id, type->name, sizeof(s->s_id));
+ list_add_tail(&s->s_list, &super_blocks);
#else
strncpy(s->s_id, type->name, sizeof(s->s_id));
#endif
- list_add_tail(&s->s_list, &super_blocks);
hlist_add_head(&s->s_instances, &type->fs_supers);
#ifndef __UBOOT__
spin_unlock(&sb_lock);