fs: ubifs: Fix memleak and double free in u-boot wrapper functions

When mounting ubifs e.g. through command 'ubifsmount' one global static
superblock 'ubifs_sb' is used _and_ the requested volume is opened (like
in Linux).  The pointer returned by 'ubifs_open_volume()' is stored in
that superblock struct and freed later on cmd 'ubifsumount' or another
call to 'ubifsmount' with a different volume, through ubifs_umount() and
ubi_close_volume().

In ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() the volume
was opened again, which is technically no problem with regard to
refcounting, but here the still valid pointer in sb was overwritten,
leading to a memory leak.  Even worse, when using one of those
functions and calling ubifsumount later, ubi_close_volume() was called
again but now on an already freed pointer, leading to a double free.
This actually crashed with different invalid memory accesses on a board
using the old distro boot and a rather long script handling RAUC
updates.

Example:

    > ubi part UBI
    > ubifsmount ubi0:boot
    > test -e ubi ubi0:boot /boot.scr.uimg
    > ubifsumount

The ubifs specific commands 'ubifsls' and 'ubifsload' check for a
mounted volume by themselves, for the generic fs variants 'ls', 'load',
(and 'size', and 'test -e') this is covered by special ubifs handling in
fs_set_blk_dev() and deeper down blk_get_device_part_str() then.  So for
ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() we can be
sure the volume is opened and the necessary struct pointer in sb is
valid, so it is not needed to open volume again.

Fixes: 9eefe2a2b37 ("UBIFS: Implement read-only UBIFS support in U-Boot")
Fixes: 29cc5bcadfc ("ubifs: Add functions for generic fs use")
Signed-off-by: Alexander Dahl <ada@thorsis.com>

0 files changed, 0 insertions, 0 deletions