fs: ubifs: Set pointers to NULL after free

Global superblock pointer 'ubifs_sb' and volume pointer 'ubi' of type
struct ubi_volume_desc in private member sb->s_fs_info of type struct
ubifs_info, can be allocated and freed at runtime, and allocated and
freed again, depending which console or script commands are run.  In
some cases ubifs_sb is even tested to determine if the filesystem is
mounted.  Reset those pointers to NULL after free to clearly mark them
as not valid.  This avoids potential double free on invalid pointers.

(The ubifs_sb pointer was already reset, but that statement was moved
now to directly after the free() to make it easier to understand.)

Signed-off-by: Alexander Dahl <ada@thorsis.com>

2 files changed, 4 insertions, 1 deletions

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index d8d78a2d3d..bbbbeb5ee1 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -1758,11 +1758,13 @@ void ubifs_umount(struct ubifs_info *c)
 	ubifs_debugging_exit(c);
 #ifdef __UBOOT__
 	ubi_close_volume(c->ubi);
+	c->ubi = NULL;
 	mutex_unlock(&c->umount_mutex);
 	/* Finally free U-Boot's global copy of superblock */
 	if (ubifs_sb != NULL) {
 		free(ubifs_sb->s_fs_info);
 		free(ubifs_sb);
+		ubifs_sb = NULL;
 	}
 #endif
 }
@@ -2061,6 +2063,7 @@ static void ubifs_put_super(struct super_block *sb)
 #ifndef __UBOOT__
 	bdi_destroy(&c->bdi);
 	ubi_close_volume(c->ubi);
+	c->ubi = NULL;
 	mutex_unlock(&c->umount_mutex);
 #endif
 }
@@ -2340,6 +2343,7 @@ out_bdi:
 out_close:
 #endif
 	ubi_close_volume(c->ubi);
+	c->ubi = NULL;
 out:
 	return err;
 }
diff --git a/fs/ubifs/ubifs.c b/fs/ubifs/ubifs.c
index 61ae5580e6..6ed9318f73 100644
--- a/fs/ubifs/ubifs.c
+++ b/fs/ubifs/ubifs.c
@@ -976,6 +976,5 @@ void uboot_ubifs_umount(void)
 		printf("Unmounting UBIFS volume %s!\n",
 		       ((struct ubifs_info *)(ubifs_sb->s_fs_info))->vi.name);
 		ubifs_umount(ubifs_sb->s_fs_info);
-		ubifs_sb = NULL;
 	}
 }