ubifs: fix memory corruption in super.c

In list "super_blocks" ubifs collects allocated super_block
structs. U-Boot frees on unmount the allocated struct,
so the pointer stored in this list is free after the umount.
On a new ubifs mount, the new allocated super_block struct
get inserted into the super_blocks list ... which contains
now a freed pointer, and the list_add_tail() corrupts the
freed memory ...

2 solutions are possible:
- remove the super_block from the super_blocks list
  on umount

- as U-Boot does not use the super_blocks list ...
  remove it complete for U-Boot.

Both solutions should not introduce problems for porting
to newer linux version, so this patch removes the unused
super_blocks list, as it saves code size and execution
time.

Signed-off-by: Heiko Schocher <hs@denx.de>

1 files changed, 1 insertions, 2 deletions

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index dcf3a47..effa8d9 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -48,7 +48,6 @@ struct vfsmount;
 #define INODE_LOCKED_MAX	64
 
 struct super_block *ubifs_sb;
-LIST_HEAD(super_blocks);
 
 static struct inode *inodes_locked_down[INODE_LOCKED_MAX];
 
@@ -2425,10 +2424,10 @@ retry:
 	s->s_type = type;
 #ifndef __UBOOT__
 	strlcpy(s->s_id, type->name, sizeof(s->s_id));
+	list_add_tail(&s->s_list, &super_blocks);
 #else
 	strncpy(s->s_id, type->name, sizeof(s->s_id));
 #endif
-	list_add_tail(&s->s_list, &super_blocks);
 	hlist_add_head(&s->s_instances, &type->fs_supers);
 #ifndef __UBOOT__
 	spin_unlock(&sb_lock);