From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751069AbbIGLLK (ORCPT <rfc822;w@1wt.eu>);
	Mon, 7 Sep 2015 07:11:10 -0400
Received: from mail-pa0-f54.google.com ([209.85.220.54]:32839 "EHLO
	mail-pa0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750752AbbIGLLI (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 7 Sep 2015 07:11:08 -0400
Date: Mon, 7 Sep 2015 20:11:48 +0900
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To: Luis Henriques <luis.henriques@canonical.com>
Cc: Minchan Kim <minchan@kernel.org>, Nitin Gupta <ngupta@vflare.org>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
        Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] zram: fix possible use after free in zcomp_create()
Message-ID: <20150907111148.GB27956@swordfish>
References: <1441622033-8358-1-git-send-email-luis.henriques@canonical.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1441622033-8358-1-git-send-email-luis.henriques@canonical.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On (09/07/15 11:33), Luis Henriques wrote:
> zcomp_create() verifies the success of zcomp_strm_{multi,siggle}_create()
> through comp->stream, which can potentially be pointing to memory that was
> freed if these functions returned an error.
> 

good catch.

we probably better start checking the zcomp_strm_multi_create()/
zcomp_strm_single_create() status in zcomp_create(); that's much
more obvious and that's why we return it in the first place.

what do you think?

---

 drivers/block/zram/zcomp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/block/zram/zcomp.c b/drivers/block/zram/zcomp.c
index 3456d5a..16bbc8c 100644
--- a/drivers/block/zram/zcomp.c
+++ b/drivers/block/zram/zcomp.c
@@ -360,6 +360,7 @@ struct zcomp *zcomp_create(const char *compress, int max_strm)
 {
 	struct zcomp *comp;
 	struct zcomp_backend *backend;
+	int ret;
 
 	backend = find_backend(compress);
 	if (!backend)
@@ -371,10 +372,10 @@ struct zcomp *zcomp_create(const char *compress, int max_strm)
 
 	comp->backend = backend;
 	if (max_strm > 1)
-		zcomp_strm_multi_create(comp, max_strm);
+		ret = zcomp_strm_multi_create(comp, max_strm);
 	else
-		zcomp_strm_single_create(comp);
-	if (!comp->stream) {
+		ret = zcomp_strm_single_create(comp);
+	if (ret != 0) {
 		kfree(comp);
 		return ERR_PTR(-ENOMEM);
 	}