summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBaokun Li <libaokun1@huawei.com>2021-11-15 02:31:43 +0100
committerRichard Weinberger <richard@nod.at>2021-12-23 22:28:23 +0100
commit0d76502172d83e1e09aedbdced3d8be0ef1abcb5 (patch)
treee02cb685339c7435445626520ecd116925833bfa
parentubifs: fix slab-out-of-bounds in ubifs_change_lp (diff)
downloadlinux-0d76502172d83e1e09aedbdced3d8be0ef1abcb5.tar.xz
linux-0d76502172d83e1e09aedbdced3d8be0ef1abcb5.zip
ubifs: fix double return leb in ubifs_garbage_collect
If ubifs_garbage_collect_leb() returns -EAGAIN and enters the "out" branch, ubifs_return_leb will execute twice on the same lnum. This can cause data loss in concurrency situations. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Baokun Li <libaokun1@huawei.com> Signed-off-by: Richard Weinberger <richard@nod.at>
-rw-r--r--fs/ubifs/gc.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/ubifs/gc.c b/fs/ubifs/gc.c
index 05e1eeae8457..1f74a127fe3a 100644
--- a/fs/ubifs/gc.c
+++ b/fs/ubifs/gc.c
@@ -758,6 +758,8 @@ int ubifs_garbage_collect(struct ubifs_info *c, int anyway)
err = ubifs_return_leb(c, lp.lnum);
if (err)
ret = err;
+ /* Maybe double return LEB if goto out */
+ lp.lnum = -1;
break;
}
goto out;