From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To: Jerome Marchand <jmarchan@redhat.com>
Cc: Minchan Kim <minchan@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] zram: don't call idr_remove() from zram_remove()
Date: Fri, 15 Jan 2016 09:43:17 +0900 [thread overview]
Message-ID: <20160115004317.GA1993@swordfish> (raw)
In-Reply-To: <1452776627-21662-1-git-send-email-jmarchan@redhat.com>
Cc Andrew
On (01/14/16 14:03), Jerome Marchand wrote:
> The use of idr_remove() is forbidden in the callback functions of
> idr_for_each(). It is therefore unsafe to call idr_remove in
> zram_remove().
> This patch moves the call to idr_remove() from zram_remove() to
> hot_remove_store(). In the detroy_devices() path, idrs are removed by
> idr_destroy().
> This solves an use-after-free detected by KASan.
thanks, good catch! wow, I must be blind or stupid, or both.
Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
a nano nitpick to add curly braces in the else clause.
but, what is more important, may I please ask you to add -stable [4.2+]
> Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+ Cc: <stable@vger.kernel.org>
and to resend the patch?
idr added in 4.2
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/drivers/block/zram/zram_drv.c?id=refs/tags/v4.2
-ss
> ---
> drivers/block/zram/zram_drv.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
> index 47915d7..5e86e1d 100644
> --- a/drivers/block/zram/zram_drv.c
> +++ b/drivers/block/zram/zram_drv.c
> @@ -1325,7 +1325,6 @@ static int zram_remove(struct zram *zram)
>
> pr_info("Removed device: %s\n", zram->disk->disk_name);
>
> - idr_remove(&zram_index_idr, zram->disk->first_minor);
> blk_cleanup_queue(zram->disk->queue);
> del_gendisk(zram->disk);
> put_disk(zram->disk);
> @@ -1367,9 +1366,10 @@ static ssize_t hot_remove_store(struct class *class,
> mutex_lock(&zram_index_mutex);
>
> zram = idr_find(&zram_index_idr, dev_id);
> - if (zram)
> + if (zram) {
> ret = zram_remove(zram);
> - else
> + idr_remove(&zram_index_idr, dev_id);
+ } else {
> ret = -ENODEV;
+ }
> mutex_unlock(&zram_index_mutex);
> --
> 2.5.0
>
next prev parent reply other threads:[~2016-01-15 0:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-14 13:03 [PATCH] zram: don't call idr_remove() from zram_remove() Jerome Marchand
2016-01-15 0:43 ` Sergey Senozhatsky [this message]
2016-01-15 1:25 ` Sergey Senozhatsky
2016-01-15 2:59 ` Minchan Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160115004317.GA1993@swordfish \
--to=sergey.senozhatsky.work@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=jmarchan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=minchan@kernel.org \
--cc=sergey.senozhatsky@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.