From: Minchan Kim <minchan@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Minchan Kim <minchan@kernel.org>, Nitin Gupta <ngupta@vflare.org>,
Seth Jennings <sjenning@linux.vnet.ibm.com>,
Jerome Marchand <jmarchan@redhat.com>
Subject: [PATCH] zram: fix random data read
Date: Fri, 8 Jun 2012 15:39:26 +0900 [thread overview]
Message-ID: <1339137567-29656-2-git-send-email-minchan@kernel.org> (raw)
In-Reply-To: <1339137567-29656-1-git-send-email-minchan@kernel.org>
fd1a30de makes a bug that it uses (struct page *) as zsmalloc's handle
although it's a uncompressed page so that it can access random page,
return random data or even crashed by get_first_page in zs_map_object.
Cc: Nitin Gupta <ngupta@vflare.org>
Cc: Seth Jennings <sjenning@linux.vnet.ibm.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
---
drivers/staging/zram/zram_drv.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index abd69d1..0cdc303 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -280,26 +280,27 @@ static int zram_read_before_write(struct zram *zram, char *mem, u32 index)
size_t clen = PAGE_SIZE;
struct zobj_header *zheader;
unsigned char *cmem;
+ unsigned long handle = zram->table[index].handle;
- if (zram_test_flag(zram, index, ZRAM_ZERO) ||
- !zram->table[index].handle) {
+ if (zram_test_flag(zram, index, ZRAM_ZERO) || !handle) {
memset(mem, 0, PAGE_SIZE);
return 0;
}
- cmem = zs_map_object(zram->mem_pool, zram->table[index].handle);
-
/* Page is stored uncompressed since it's incompressible */
if (unlikely(zram_test_flag(zram, index, ZRAM_UNCOMPRESSED))) {
- memcpy(mem, cmem, PAGE_SIZE);
- kunmap_atomic(cmem);
+ char *src = kmap_atomic((struct page *)handle);
+ memcpy(mem, src, PAGE_SIZE);
+ kunmap_atomic(src);
return 0;
}
+ cmem = zs_map_object(zram->mem_pool, handle);
+
ret = lzo1x_decompress_safe(cmem + sizeof(*zheader),
zram->table[index].size,
mem, &clen);
- zs_unmap_object(zram->mem_pool, zram->table[index].handle);
+ zs_unmap_object(zram->mem_pool, handle);
/* Should NEVER happen. Return bio error if it does. */
if (unlikely(ret != LZO_E_OK)) {
--
1.7.9.5
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Minchan Kim <minchan@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Minchan Kim <minchan@kernel.org>, Nitin Gupta <ngupta@vflare.org>,
Seth Jennings <sjenning@linux.vnet.ibm.com>,
Jerome Marchand <jmarchan@redhat.com>
Subject: [PATCH] zram: fix random data read
Date: Fri, 8 Jun 2012 15:39:26 +0900 [thread overview]
Message-ID: <1339137567-29656-2-git-send-email-minchan@kernel.org> (raw)
In-Reply-To: <1339137567-29656-1-git-send-email-minchan@kernel.org>
fd1a30de makes a bug that it uses (struct page *) as zsmalloc's handle
although it's a uncompressed page so that it can access random page,
return random data or even crashed by get_first_page in zs_map_object.
Cc: Nitin Gupta <ngupta@vflare.org>
Cc: Seth Jennings <sjenning@linux.vnet.ibm.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
---
drivers/staging/zram/zram_drv.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index abd69d1..0cdc303 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -280,26 +280,27 @@ static int zram_read_before_write(struct zram *zram, char *mem, u32 index)
size_t clen = PAGE_SIZE;
struct zobj_header *zheader;
unsigned char *cmem;
+ unsigned long handle = zram->table[index].handle;
- if (zram_test_flag(zram, index, ZRAM_ZERO) ||
- !zram->table[index].handle) {
+ if (zram_test_flag(zram, index, ZRAM_ZERO) || !handle) {
memset(mem, 0, PAGE_SIZE);
return 0;
}
- cmem = zs_map_object(zram->mem_pool, zram->table[index].handle);
-
/* Page is stored uncompressed since it's incompressible */
if (unlikely(zram_test_flag(zram, index, ZRAM_UNCOMPRESSED))) {
- memcpy(mem, cmem, PAGE_SIZE);
- kunmap_atomic(cmem);
+ char *src = kmap_atomic((struct page *)handle);
+ memcpy(mem, src, PAGE_SIZE);
+ kunmap_atomic(src);
return 0;
}
+ cmem = zs_map_object(zram->mem_pool, handle);
+
ret = lzo1x_decompress_safe(cmem + sizeof(*zheader),
zram->table[index].size,
mem, &clen);
- zs_unmap_object(zram->mem_pool, zram->table[index].handle);
+ zs_unmap_object(zram->mem_pool, handle);
/* Should NEVER happen. Return bio error if it does. */
if (unlikely(ret != LZO_E_OK)) {
--
1.7.9.5
next prev parent reply other threads:[~2012-06-08 6:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 6:39 [PATCH v3] zsmalloc: zsmalloc: use unsigned long instead of void * Minchan Kim
2012-06-08 6:39 ` Minchan Kim
2012-06-08 6:39 ` Minchan Kim [this message]
2012-06-08 6:39 ` [PATCH] zram: fix random data read Minchan Kim
2012-06-08 7:23 ` Nitin Gupta
2012-06-08 7:23 ` Nitin Gupta
2012-06-08 6:39 ` [PATCH] zram: remove special handle of uncompressed page Minchan Kim
2012-06-08 6:39 ` Minchan Kim
2012-06-08 7:29 ` Nitin Gupta
2012-06-08 7:29 ` Nitin Gupta
2012-06-08 7:13 ` [PATCH v3] zsmalloc: zsmalloc: use unsigned long instead of void * Nitin Gupta
2012-06-08 7:13 ` Nitin Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1339137567-29656-2-git-send-email-minchan@kernel.org \
--to=minchan@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jmarchan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ngupta@vflare.org \
--cc=sjenning@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.