[PATCH] ubi: fastmap: fix slab corruption
Rabin Vincent
rabin.vincent at axis.com
Mon Mar 20 08:20:48 PDT 2017
On Mon, Mar 20, 2017 at 04:17:06PM +0100, Rabin Vincent wrote:
> /**
> * ubi_scan_fastmap - scan the fastmap.
> * @ubi: UBI device object
> @@ -847,7 +865,7 @@ int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
> struct ubi_vid_hdr *vh;
> struct ubi_ec_hdr *ech;
> struct ubi_fastmap_layout *fm;
> - struct ubi_ainf_peb *tmp_aeb, *aeb;
> + struct ubi_ainf_peb *aeb;
> int i, used_blocks, pnum, fm_anchor, ret = 0;
> size_t fm_size;
> __be32 crc, tmp_crc;
> @@ -857,9 +875,18 @@ int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
> if (fm_anchor < 0)
> return UBI_NO_FASTMAP;
>
> - /* Move all (possible) fastmap blocks into our new attach structure. */
> - list_for_each_entry_safe(aeb, tmp_aeb, &scan_ai->fastmap, u.list)
> - list_move_tail(&aeb->u.list, &ai->fastmap);
> + /* Copy all (possible) fastmap blocks into our new attach structure. */
> + list_for_each_entry(aeb, &scan_ai->fastmap, u.list) {
> + struct ubi_ainf_peb *new;
> +
> + new = clone_aeb(ai, aeb);
> + if (!new) {
> + ret = -ENOMEM;
> + goto out;
I just noticed that this should be just a return instead of a goto out
since we haven't locked the semaphore yet. I'll send a v2 with that
fixed if you think that the rest of the patch look sane.
More information about the linux-mtd
mailing list