UBIFS: fix use of freed ubifs_orphan objects

[karo-tx-linux.git] / fs / ubifs / orphan.c

diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c
index 769701ccb5c9bf5809a3f09b17ade8397a4dbfb2..8534d9c6492f064d4579b3854fa1352cb0dd8eb0 100644 (file)
--- a/fs/ubifs/orphan.c
+++ b/fs/ubifs/orphan.c
@@ -132,7 +132,7 @@ void ubifs_delete_orphan(struct ubifs_info *c, ino_t inum)
                                        (unsigned long)inum);
                                return;
                        }
-                       if (o->cnext) {
+                       if (o->cmt) {
                                o->dnext = c->orph_dnext;
                                c->orph_dnext = o;
                                spin_unlock(&c->orphan_lock);
@@ -172,7 +172,9 @@ int ubifs_orphan_start_commit(struct ubifs_info *c)
        last = &c->orph_cnext;
        list_for_each_entry(orphan, &c->orph_new, new_list) {
                ubifs_assert(orphan->new);
+               ubifs_assert(!orphan->cmt);
                orphan->new = 0;
+               orphan->cmt = 1;
                *last = orphan;
                last = &orphan->cnext;
        }
@@ -299,7 +301,9 @@ static int write_orph_node(struct ubifs_info *c, int atomic)
        cnext = c->orph_cnext;
        for (i = 0; i < cnt; i++) {
                orphan = cnext;
+               ubifs_assert(orphan->cmt);
                orph->inos[i] = cpu_to_le64(orphan->inum);
+               orphan->cmt = 0;
                cnext = orphan->cnext;
                orphan->cnext = NULL;
        }
@@ -378,6 +382,7 @@ static int consolidate(struct ubifs_info *c)
                list_for_each_entry(orphan, &c->orph_list, list) {
                        if (orphan->new)
                                continue;
+                       orphan->cmt = 1;
                        *last = orphan;
                        last = &orphan->cnext;
                        cnt += 1;