From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753294AbbFICQu (ORCPT ); Mon, 8 Jun 2015 22:16:50 -0400 Received: from mail-pa0-f66.google.com ([209.85.220.66]:36408 "EHLO mail-pa0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752228AbbFICQm (ORCPT ); Mon, 8 Jun 2015 22:16:42 -0400 Date: Tue, 9 Jun 2015 11:17:06 +0900 From: Sergey Senozhatsky To: akpm@linux-foundation.org Cc: sergey.senozhatsky@gmail.com, minchan@kernel.org, mm-commits@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: + zsmalloc-fix-a-null-pointer-dereference-in-destroy_handle_cache.patch added to -mm tree Message-ID: <20150609021706.GA3297@swordfish> References: <5576014e.XTPbNvTv2bJIJ1Z3%akpm@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5576014e.XTPbNvTv2bJIJ1Z3%akpm@linux-foundation.org> User-Agent: Mutt/1.5.23+89 (0255b37be491) (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On (06/08/15 13:55), akpm@linux-foundation.org wrote: > ------------------------------------------------------ > From: Sergey Senozhatsky > Subject: zsmalloc: fix a null pointer dereference in destroy_handle_cache() > > If zs_create_pool()->create_handle_cache()->kmem_cache_create() fails, > zs_create_pool()->destroy_handle_cache() will dereference the NULL > pool->handle_cachep. > > Modify destroy_handle_cache() to avoid this. > Thank you, that's a nicer commit message. A minor correction, zs_create_pool() can cause NULL pool->handle_cachep from two places: -- failed `zs_create_pool()-> pool->name = kstrdup(...)' -- failed `zs_create_pool()->create_handle_cache()->kmem_cache_create()' How about the following version: --- If zs_create_pool()->create_handle_cache()->kmem_cache_create() or pool->name allocation fails, zs_create_pool()->destroy_handle_cache() will dereference the NULL pool->handle_cachep. Modify destroy_handle_cache() to avoid this. --- -ss > Signed-off-by: Sergey Senozhatsky > Cc: Minchan Kim > Signed-off-by: Andrew Morton > --- > > mm/zsmalloc.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff -puN mm/zsmalloc.c~zsmalloc-fix-a-null-pointer-dereference-in-destroy_handle_cache mm/zsmalloc.c > --- a/mm/zsmalloc.c~zsmalloc-fix-a-null-pointer-dereference-in-destroy_handle_cache > +++ a/mm/zsmalloc.c > @@ -289,7 +289,8 @@ static int create_handle_cache(struct zs > > static void destroy_handle_cache(struct zs_pool *pool) > { > - kmem_cache_destroy(pool->handle_cachep); > + if (pool->handle_cachep) > + kmem_cache_destroy(pool->handle_cachep); > } > > static unsigned long alloc_handle(struct zs_pool *pool) > _ > > Patches currently in -mm which might be from sergey.senozhatsky@gmail.com are > > zram-clear-disk-io-accounting-when-reset-zram-device.patch > zsmalloc-fix-a-null-pointer-dereference-in-destroy_handle_cache.patch > zram-add-compact-sysfs-entry-to-documentation.patch > zram-cosmetic-zram_attr_ro-code-formatting-tweak.patch > zram-use-idr-instead-of-zram_devices-array.patch > zram-reorganize-code-layout.patch > zram-remove-max_num_devices-limitation.patch > zram-report-every-added-and-removed-device.patch > zram-trivial-correct-flag-operations-comment.patch > zram-return-zram-device_id-from-zram_add.patch > zram-close-race-by-open-overriding.patch > zram-add-dynamic-device-add-remove-functionality.patch > zram-cosmetic-zram_bvec_write-cleanup.patch > zram-cut-trailing-newline-in-algorithm-name.patch > zram-check-comp-algorithm-availability-earlier.patch > zram-check-comp-algorithm-availability-earlier-v2.patch > linux-next.patch > > -- > To unsubscribe from this list: send the line "unsubscribe mm-commits" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >