ubifs: fix double return leb in ubifs_garbage_collect

If ubifs_garbage_collect_leb() returns -EAGAIN and enters the "out"
branch, ubifs_return_leb will execute twice on the same lnum. This
can cause data loss in concurrency situations.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>

diff --git a/fs/ubifs/gc.c b/fs/ubifs/gc.c
index 05e1eea..1f74a12 100644 (file)
--- a/fs/ubifs/gc.c
+++ b/fs/ubifs/gc.c
@@ -758,6 +758,8 @@ int ubifs_garbage_collect(struct ubifs_info *c, int anyway)
                                err = ubifs_return_leb(c, lp.lnum);
                                if (err)
                                        ret = err;
+                               /*  Maybe double return LEB if goto out */
+                               lp.lnum = -1;
                                break;
                        }
                        goto out;