From 815eb8c46611b334b96ea8033359cf332a65e775 Mon Sep 17 00:00:00 2001
From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Fri, 16 Sep 2016 07:16:51 -0800
Subject: bcache: Fix a use after free in the gzip code

the zlib api is hateful
---
 drivers/md/bcache/compress.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/md/bcache/compress.c b/drivers/md/bcache/compress.c
index 048ef7581b23..a4f30bc32e64 100644
--- a/drivers/md/bcache/compress.c
+++ b/drivers/md/bcache/compress.c
@@ -321,23 +321,27 @@ static struct bio *__bio_compress(struct cache_set *c,
 				  Z_DEFAULT_STRATEGY);
 
 		ret = zlib_deflate(&strm, Z_FINISH);
-
-		if (workspace == c->zlib_workspace)
-			mutex_unlock(&c->zlib_workspace_lock);
-		else
-			kfree(workspace);
-
 		if (ret != Z_STREAM_END) {
 			ret = -EIO;
-			goto err;
+			goto zlib_err;
 		}
 
 		ret = zlib_deflateEnd(&strm);
 		if (ret != Z_OK) {
 			ret = -EIO;
-			goto err;
+			goto zlib_err;
 		}
 
+		ret = 0;
+zlib_err:
+		if (workspace == c->zlib_workspace)
+			mutex_unlock(&c->zlib_workspace_lock);
+		else
+			kfree(workspace);
+
+		if (ret)
+			goto err;
+
 		BUG_ON(strm.total_in != output_available);
 
 		dst->bi_iter.bi_size = strm.total_out;
-- 
cgit v1.2.3