squashfs: fix buffer release race condition in readahead code

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Fix a buffer release race condition, where the error value was used after
release.

Link: https://lkml.kernel.org/r/20221020223616.7571-4-phillip@squashfs.org.uk
Fixes: b09a7a036d20 ("squashfs: support reading fragments in readahead call")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
Reported-by: Marc Miltenberger <marcmiltenberger@gmail.com>
Cc: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Cc: Hsin-Yi Wang <hsinyi@chromium.org>
Cc: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Cc: Slade Watkins <srw@sladewatkins.net>
Cc: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Phillip Lougher and committed by

Andrew Morton 3 years ago e11c4e08 c9199de8

+3 -2

1 changed file

expand all

squashfs

file.c

+3 -2

fs/squashfs/file.c

··· 506 506 squashfs_i(inode)->fragment_size); 507 507 struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; 508 508 unsigned int n, mask = (1 << (msblk->block_log - PAGE_SHIFT)) - 1; 509 + int error = buffer->error; 509 510 510 - if (buffer->error) 511 + if (error) 511 512 goto out; 512 513 513 514 expected += squashfs_i(inode)->fragment_offset; ··· 530 529 531 530 out: 532 531 squashfs_cache_put(buffer); 533 - return buffer->error; 532 + return error; 534 533 } 535 534 536 535 static void squashfs_readahead(struct readahead_control *ractl)