From: Adam Thomas <adamthomas1111@gmail.com>
Date: Sat, 2 Feb 2013 22:35:08 +0000 (+0000)
Subject: UBIFS: fix double free of ubifs_orphan objects
X-Git-Tag: v3.2.40~128
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ff3ae3932b9ca1152c1835f674048c4cd227db7;p=pandora-kernel.git

UBIFS: fix double free of ubifs_orphan objects

commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream.

The last orphan in the dnext list has its dnext set to NULL. Because
of that, ubifs_delete_orphan assumes that it is not on the dnext list
and frees it immediately instead ignoring it as a second delete. The
orphan is later freed again by erase_deleted.

This change adds an explicit flag to ubifs_orphan indicating whether
it is pending delete.

Signed-off-by: Adam Thomas <adamthomas1111@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed