Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1666425rwi; Thu, 20 Oct 2022 15:57:24 -0700 (PDT) X-Google-Smtp-Source: AMsMyM59aWfB4U2JQL4EVDlW/q1jo83TGT3ZjBIQ1x8HxGmudX8hnjWkZLabs4H6kIucxWOdKJoV X-Received: by 2002:a63:1a46:0:b0:464:3966:54b9 with SMTP id a6-20020a631a46000000b00464396654b9mr13858600pgm.390.1666306644663; Thu, 20 Oct 2022 15:57:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666306644; cv=none; d=google.com; s=arc-20160816; b=pIaqjcqDrAoR0Rl4NmZAUpozy08eYqPTkj+W6xetvZMV6YFwtvcldeARllGyTt4LpN 3OcBOGwHrKyOt8wb50YNlZ7rruLZIvinojeS8wmXXye8lOn/BKC53zKtdANA458HBgnb eDDvlSno11xDFd1y8US+WnOCxUln31FuvXBS4sZiHF2PnvVsC0foVzBMmcmBVwSsGJAu G8t8L2BqkNDZ12W7JnGItwEbNYX7xm93+T+b0S8hAyW8HKqvYO/4ISaBDEHoKUUFSLxt v/H1cAK6wgWaFxw/gzH271oqIuwdWq3/s1vPZLgxjhO2EsI7p31YGZz7FQatvCJhqhW9 gKMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=BxJmjkjRVegxukKBvt1uPidukK20cPDX9PNMrEmJWcw=; b=UJ9YXK3q/2YpdFKWcSX7EPfH3kS5Wqkb+OUsMrYmIOJRg/K1kuu+TuYYsY/c3p+pp5 O4Kmpd+LDS4ZlHxzozrOaGycFYekWzOe0hA4Cf2bsj5rv8nWmpBEhTlPam6ttljjfwIh fKJysJTclcBxIcpppQ0rX9fur+QcX+zYwGoVooMeYwNFl0POnArlzpsv2vY2bDb7eykm WI9T77sGgEou2WSrCrec0QzJw/V+cxFVUHsOodlr9y3kJZsJiVumNDT3Q9PE+VcX/WyI kfbfmkILePVHNJqzodVEuZrBASNhwp0DwnfGfykLaGdhoz4VFibGsJB3EaycIWAOYYt3 xIDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m8-20020a170902f64800b00179d9679ad0si23260766plg.190.2022.10.20.15.57.13; Thu, 20 Oct 2022 15:57:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229768AbiJTWgt (ORCPT + 99 others); Thu, 20 Oct 2022 18:36:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229740AbiJTWgq (ORCPT ); Thu, 20 Oct 2022 18:36:46 -0400 Received: from p3plwbeout22-02.prod.phx3.secureserver.net (p3plsmtp22-02-2.prod.phx3.secureserver.net [68.178.252.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3099C222F1C for ; Thu, 20 Oct 2022 15:36:44 -0700 (PDT) Received: from mailex.mailcore.me ([94.136.40.144]) by :WBEOUT: with ESMTP id le9aojCr1imR6le9bos5ab; Thu, 20 Oct 2022 15:36:43 -0700 X-CMAE-Analysis: v=2.4 cv=U/ZXscnu c=1 sm=1 tr=0 ts=6351cd7b a=wXHyRMViKMYRd//SnbHIqA==:117 a=84ok6UeoqCVsigPHarzEiQ==:17 a=ggZhUymU-5wA:10 a=Qawa6l4ZSaYA:10 a=VwQbUJbxAAAA:8 a=FXvPX3liAAAA:8 a=NzQU21p7aw8KqXuY42AA:9 a=AjGcO6oz07-iQ99wixmX:22 a=UObqyxdv-6Yh2QiB9mM_:22 X-SECURESERVER-ACCT: phillip@squashfs.org.uk X-SID: le9aojCr1imR6 Received: from 82-69-79-175.dsl.in-addr.zen.co.uk ([82.69.79.175] helo=phoenix.fritz.box) by smtp12.mailcore.me with esmtpa (Exim 4.94.2) (envelope-from ) id 1ole9Z-0006zQ-Oa; Thu, 20 Oct 2022 23:36:42 +0100 From: Phillip Lougher To: linux-kernel@vger.kernel.org, akpm@linux-foundation.org Cc: hsinyi@chromium.org, regressions@leemhuis.info, regressions@lists.linux.dev, dimitri.ledkov@canonical.com, michael.vogt@canonical.com, phillip.lougher@gmail.com, ogra@ubuntu.com, olivier.tilloy@canonical.com, Phillip Lougher , stable@vger.kernel.org Subject: [PATCH 3/3] squashfs: fix buffer release race condition in readahead code Date: Thu, 20 Oct 2022 23:36:16 +0100 Message-Id: <20221020223616.7571-4-phillip@squashfs.org.uk> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221020223616.7571-1-phillip@squashfs.org.uk> References: <20221020223616.7571-1-phillip@squashfs.org.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailcore-Auth: 439999529 X-Mailcore-Domain: 1394945 X-123-reg-Authenticated: phillip@squashfs.org.uk X-Originating-IP: 82.69.79.175 X-CMAE-Envelope: MS4xfAeCv/9N9gGLkcg1ImRY2fUmkVE71wOfuWJmX1a0UkB/ryWiX3y5yIue4/Yy3QtFRpidgVVBo22XNLG+TfnbBSVH3gJLNbtv2eP7vlZRmcpl5Gej0pr+ t7+OhBCF8T08Ib1MYoekZGQEHIEufT3c0Iya0RdaNxWE5uTEpCgSF7zgj8HfU0GeU0ICZLb2Gv+oMq0TDRZ57BXmGYbxUQ3b/FFpLNP/q/bsh7kGsn/mHo0T 3XjQ/9k2IJxEO2w5nvW+zA== X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix a buffer release race condition, where the error value was used after release. Fixes: b09a7a036d20 ("squashfs: support reading fragments in readahead call") Cc: Signed-off-by: Phillip Lougher --- fs/squashfs/file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/file.c b/fs/squashfs/file.c index f0afd4d6fd30..8ba8c4c50770 100644 --- a/fs/squashfs/file.c +++ b/fs/squashfs/file.c @@ -506,8 +506,9 @@ static int squashfs_readahead_fragment(struct page **page, squashfs_i(inode)->fragment_size); struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; unsigned int n, mask = (1 << (msblk->block_log - PAGE_SHIFT)) - 1; + int error = buffer->error; - if (buffer->error) + if (error) goto out; expected += squashfs_i(inode)->fragment_offset; @@ -529,7 +530,7 @@ static int squashfs_readahead_fragment(struct page **page, out: squashfs_cache_put(buffer); - return buffer->error; + return error; } static void squashfs_readahead(struct readahead_control *ractl) -- 2.35.1