| From: Phillip Lougher <phillip@squashfs.org.uk> |
| Subject: squashfs: fix buffer release race condition in readahead code |
| Date: Thu, 20 Oct 2022 23:36:16 +0100 |
| |
| Fix a buffer release race condition, where the error value was used after |
| release. |
| |
| Link: https://lkml.kernel.org/r/20221020223616.7571-4-phillip@squashfs.org.uk |
| Fixes: b09a7a036d20 ("squashfs: support reading fragments in readahead call") |
| Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> |
| Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> |
| Reported-by: Marc Miltenberger <marcmiltenberger@gmail.com> |
| Cc: Dimitri John Ledkov <dimitri.ledkov@canonical.com> |
| Cc: Hsin-Yi Wang <hsinyi@chromium.org> |
| Cc: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr> |
| Cc: Slade Watkins <srw@sladewatkins.net> |
| Cc: Thorsten Leemhuis <regressions@leemhuis.info> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| |
| --- a/fs/squashfs/file.c~squashfs-fix-buffer-release-race-condition-in-readahead-code |
| +++ a/fs/squashfs/file.c |
| @@ -506,8 +506,9 @@ static int squashfs_readahead_fragment(s |
| squashfs_i(inode)->fragment_size); |
| struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; |
| unsigned int n, mask = (1 << (msblk->block_log - PAGE_SHIFT)) - 1; |
| + int error = buffer->error; |
| |
| - if (buffer->error) |
| + if (error) |
| goto out; |
| |
| expected += squashfs_i(inode)->fragment_offset; |
| @@ -529,7 +530,7 @@ static int squashfs_readahead_fragment(s |
| |
| out: |
| squashfs_cache_put(buffer); |
| - return buffer->error; |
| + return error; |
| } |
| |
| static void squashfs_readahead(struct readahead_control *ractl) |
| _ |
