From: Minchan Kim <minchan@kernel.org>
To: wang wei <a929244872@163.com>
Cc: richardycc@google.com, akpm@linux-foundation.org,
axboe@kernel.dk, bgeffon@google.com, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
liumartin@google.com, senozhatsky@chromium.org,
stable@vger.kernel.org
Subject: Re: [PATCH] Re:[PATCH v3] zram: fix use-after-free in zram_writeback_endio
Date: Thu, 14 May 2026 15:02:37 -0700 [thread overview]
Message-ID: <agZGfRoVRPKW3LEU@google.com> (raw)
In-Reply-To: <20260513140218.7425-1-a929244872@163.com>
On Wed, May 13, 2026 at 10:02:18PM +0800, wang wei wrote:
> >@@ -847,7 +849,7 @@ static void release_wb_ctl(struct zram_wb_ctl *wb_ctl)
> > release_wb_req(req);
> > }
> >
> >- kfree(wb_ctl);
> >+ kfree_rcu(wb_ctl, rcu);
> > }
>
> Do we need to add a 'rcu_assign_pointer(wb_ctl, NULL);' before 'kfree_rcu(wb_ctl, rcu)'?
>
> Signed-off-by: wang wei <a929244872@163.com>
Why do we need it?
My understanding is rcu_assign_pointer() is typically used to publish NULL to
a shared pointer variable so that future RCU readers (using rcu_dereference)
won't access the object before kfree_rcu().
However, in our case, wb_ctl is not stored in any shared pointer variable.
It is a local variable in writeback_store() and RCU readers (zram_writeback_endio)
do not look up wb_ctl from a shared pointer. They obtain it directly from
bio->bi_private of the specific bio they are completing.
Please let me know if I missed anything.
next prev parent reply other threads:[~2026-05-14 22:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 12:32 [PATCH] zram: fix use-after-free in zram_writeback_endio Richard Chang
2026-05-05 3:25 ` Sergey Senozhatsky
2026-05-05 16:37 ` Minchan Kim
2026-05-07 9:40 ` Sergey Senozhatsky
2026-05-07 22:56 ` Minchan Kim
2026-05-07 23:38 ` Minchan Kim
2026-05-08 2:40 ` Sergey Senozhatsky
2026-05-08 8:49 ` [PATCH v2] " Richard Chang
2026-05-08 21:16 ` Minchan Kim
2026-05-09 2:18 ` Sergey Senozhatsky
2026-05-12 7:49 ` [PATCH v3] " Richard Chang
2026-05-13 14:02 ` [PATCH] " wang wei
2026-05-14 22:02 ` Minchan Kim [this message]
2026-05-15 8:23 ` wang wei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agZGfRoVRPKW3LEU@google.com \
--to=minchan@kernel.org \
--cc=a929244872@163.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bgeffon@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=liumartin@google.com \
--cc=richardycc@google.com \
--cc=senozhatsky@chromium.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.