2 files changed, 68 insertions, 4 deletions
diff --git a/main/squashfs-tools/0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch b/main/squashfs-tools/0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch
new file mode 100644
index 0000000000..51f5888186
--- /dev/null
+++ b/main/squashfs-tools/0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch
@@ -0,0 +1,60 @@
+From de03266983ceb62e5365aac84fcd3b2fd4d16e6f Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Thu, 18 Sep 2014 01:28:11 +0100
+Subject: [PATCH] mksquashfs: fix rare race in fragment waiting in filesystem
+ finalisation
+
+Fix a rare race condition in fragment waiting when finalising the
+filesystem.  This is a race condition that was initially fixed in 2009,
+but inadvertantly re-introduced in the latest release when the code
+was rewritten.
+
+Background:
+
+When finalising the filesystem, the main control thread needs to ensure
+all the in-flight fragments have been queued to the writer thread before
+asking the writer thread to finish, and then writing the metadata.
+
+It does this by waiting on the fragments_outstanding counter.  Once this
+counter reaches 0, it synchronises with the writer thread, waiting until
+the writer thread reports no outstanding data to be written.
+
+However, the main thread can race with the fragment deflator thread(s)
+because the fragment deflator thread(s) decrement the fragments_outstanding
+counter and release the mutex before queueing the compressed fragment
+to the writer thread, i.e. the offending code is:
+
+                        fragments_outstanding --;
+                        pthread_mutex_unlock(&fragment_mutex);
+                        queue_put(to_writer, write_buffer);
+
+In extremely rare circumstances, the main thread may see the
+fragments_outstanding counter is zero before the fragment
+deflator sends the fragment buffer to the writer thread, and synchronise
+with the writer thread, and finalise before the fragment has been written.
+
+The fix is to ensure the fragment is queued to the writer thread
+before releasing the mutex.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/mksquashfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
+index 87b7d86..f1fcff1 100644
+--- a/squashfs-tools/mksquashfs.c
++++ b/squashfs-tools/mksquashfs.c
+@@ -2419,8 +2419,8 @@ void *frag_deflator(void *arg)
+ 			write_buffer->block = bytes;
+ 			bytes += compressed_size;
+ 			fragments_outstanding --;
+-			pthread_mutex_unlock(&fragment_mutex);
+ 			queue_put(to_writer, write_buffer);
++			pthread_mutex_unlock(&fragment_mutex);
+ 			TRACE("Writing fragment %lld, uncompressed size %d, "
+ 				"compressed size %d\n", file_buffer->block,
+ 				file_buffer->size, compressed_size);
+-- 
+2.10.2
+
diff --git a/main/squashfs-tools/APKBUILD b/main/squashfs-tools/APKBUILD
index 366c4eace7..ba07a64be4 100644
--- a/main/squashfs-tools/APKBUILD
+++ b/main/squashfs-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squashfs-tools
 pkgver=4.3
-pkgrel=2
+pkgrel=3
 pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux."
 url="http://squashfs.sourceforge.net"
 arch="all"
@@ -12,6 +12,7 @@ source="http://downloads.sourceforge.net/sourceforge/squashfs/squashfs$pkgver.ta
 	fix-compat.patch
 	vla-overlow.patch
 	CVE-2015-4645.patch
+	0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch
 "
 
 _builddir="$srcdir/squashfs$pkgver/$pkgname"
@@ -38,12 +39,15 @@ package() {
 md5sums="d92ab59aabf5173f2a59089531e30dbf  squashfs4.3.tar.gz
 1bb2bed6830d32b76f1ca1b6c0349fcd  fix-compat.patch
 d34cb53db691f0fb58425bb5ab30f6d4  vla-overlow.patch
-c475b848e0c2e2b2eef3ddf2e3c23803  CVE-2015-4645.patch"
+c475b848e0c2e2b2eef3ddf2e3c23803  CVE-2015-4645.patch
+4434a07ea1607bf93178b9cbb73e15fb  0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch"
 sha256sums="0d605512437b1eb800b4736791559295ee5f60177e102e4d4ccd0ee241a5f3f6  squashfs4.3.tar.gz
 249d10b4df7921fae5e0ab4c1f44f3346229f16851240d61a24e85006ed886e6  fix-compat.patch
 213f3f23576c99099305f717a279507913ab2b8df4dd8f502153e73b2d0a9df5  vla-overlow.patch
-ff71a62a435a9089b0fc95280aa3a8310b131653d37e55eed10a0f7d0100359b  CVE-2015-4645.patch"
+ff71a62a435a9089b0fc95280aa3a8310b131653d37e55eed10a0f7d0100359b  CVE-2015-4645.patch
+4075a51f2e46c539a4184c832590a166ef60951f06a8b53652b2ebf2e2c62a01  0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch"
 sha512sums="854ed7acc99920f24ecf11e0da807e5a2a162eeda55db971aba63a03f0da2c13b20ec0564a906c4b0e415bd8258b273a10208c7abc0704f2ceea773aa6148a79  squashfs4.3.tar.gz
 868e3923f98a7f8bb980fe8ab0d648e9ae9a55e324bea3830d6047aa348a4302dcb96d65bf59c6e04665891d822e18fad367a37c6704505b8492f64d749fc140  fix-compat.patch
 975d09d047f4122866e83c4322ce3a15795c051b850d14a85a615c3beef970378e5a620ee16058b9c5104c53f973f9b3804d96c3ba1ab4f622f1e096c04e0360  vla-overlow.patch
-77431a0a4a529ce63f1613a65a23af2fb8683a16d14ad1a5cfed3a9fac4df6a1212f081d1879ede188a25b77e860445058012131423c546657fb562069865d2c  CVE-2015-4645.patch"
+77431a0a4a529ce63f1613a65a23af2fb8683a16d14ad1a5cfed3a9fac4df6a1212f081d1879ede188a25b77e860445058012131423c546657fb562069865d2c  CVE-2015-4645.patch
+1b2338a448ec8a2b75880ddc8c13f99392451847ab26277e1bc82b49a3a804796934e212dd1ba54a502940537a61891ee0103e913d0bda65cff0ca2827b8b41c  0001-mksquashfs-fix-rare-race-in-fragment-waiting-in-file.patch"