UBIFS: a pair of orphan bugs
Adam Thomas
adamthomas1111 at gmail.com
Sun Jan 27 20:28:31 EST 2013
Hello linux-mtd,
I recently encountered some UBIFS inconsistencies and tracked it back
to a pair of bugs in orphan delete. There is an assumption in
ubifs_delete_orphan that if the orphan cnext is NULL then it is not on
the cnext list, but that is incorrect for the last orphan on the cnext
list, which results in modifying freed memory. The same assumption is
made for the dnext list, which results in a double free. I am
including two patches that fix these issues by adding flags to
ubifs_orphan for pending commit and pending delete that are used
instead of checking cnext and dnext.
The cnext bug specifically was the cause of the inconsistencies I
encountered and is easy to reproduce. For example, repeatedly
untarring a root filesystem tarball and then removing those files
almost always results in inconsistencies in around 10 iterations. I do
not have a repro case for the dnext bug, I discovered that one due to
its similarity to the cnext list.
Thanks,
-Adam
More information about the linux-mtd
mailing list