Re: [RFC PATCH v1 2/8] zram: avoid invalid memory access in zram_exit()
From: Jiang Liu
Date: Tue Jun 04 2013 - 10:28:18 EST
On Tue 04 Jun 2013 05:03:09 PM CST, Minchan Kim wrote:
> On Mon, Jun 03, 2013 at 11:42:14PM +0800, Jiang Liu wrote:
>> Memory for zram->disk object may have already been freed after returning
>> from destroy_device(zram), then it's unsafe for zram_reset_device(zram)
>> to access zram->disk again.
>>
>> Fix it by holding an extra reference to zram->disk before calling
>> destroy_device(zram).
>>
>> Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
>> ---
>> drivers/staging/zram/zram_drv.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>> index e34e3fe..ee6b67d 100644
>> --- a/drivers/staging/zram/zram_drv.c
>> +++ b/drivers/staging/zram/zram_drv.c
>> @@ -727,8 +727,10 @@ static void __exit zram_exit(void)
>> for (i = 0; i < num_devices; i++) {
>> zram = &zram_devices[i];
>>
>> + get_disk(zram->disk);
>> destroy_device(zram);
>> zram_reset_device(zram);
>> + put_disk(zram->disk);
>
> Can't we simple reverse calling order of above two functions?
>
> zram_reset_device(zram);
> destroy_device(zram);
>
Hi Minchan,
We can't solve this bug by changing the order of the two functions.
If we change the order, it will cause corner cases to zram sysfs
handler,
which will be hard to solve too.
Regards!
Gerry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/