From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752224AbbIHBGn (ORCPT ); Mon, 7 Sep 2015 21:06:43 -0400 Received: from mail-pa0-f50.google.com ([209.85.220.50]:36451 "EHLO mail-pa0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751197AbbIHBGk (ORCPT ); Mon, 7 Sep 2015 21:06:40 -0400 Date: Tue, 8 Sep 2015 10:07:18 +0900 From: Minchan Kim To: Luis Henriques Cc: Nitin Gupta , Sergey Senozhatsky , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] zram: fix possible use after free in zcomp_create() Message-ID: <20150908010718.GA19776@bbox> References: <20150907133332.GA539@swordfish> <1441635190-13991-1-git-send-email-luis.henriques@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1441635190-13991-1-git-send-email-luis.henriques@canonical.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, First of all, Thanks for catching a bug and review, Guys. Below there are just some cleanup. If you guys think it's better, please respin. On Mon, Sep 07, 2015 at 03:13:10PM +0100, Luis Henriques wrote: > zcomp_create() verifies the success of zcomp_strm_{multi,siggle}_create() > through comp->stream, which can potentially be pointing to memory that was > freed if these functions returned an error. > > Fixes: beca3ec71fe5 ("zram: add multi stream functionality") > Cc: stable@vger.kernel.org > Signed-off-by: Luis Henriques > --- > Changes since v1: > * Check zcomp_strm_{multi,siggle}_create() return code instead > comp->stream (suggested by Sergey) > > drivers/block/zram/zcomp.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/block/zram/zcomp.c b/drivers/block/zram/zcomp.c > index 965d1afb0eaa..8d2cdfd307db 100644 > --- a/drivers/block/zram/zcomp.c > +++ b/drivers/block/zram/zcomp.c > @@ -336,6 +336,7 @@ struct zcomp *zcomp_create(const char *compress, int max_strm) > { > struct zcomp *comp; > struct zcomp_backend *backend; > + int ret; For the clarification, I want to call it as 'error' instead of ret. > > backend = find_backend(compress); > if (!backend) > @@ -347,10 +348,10 @@ struct zcomp *zcomp_create(const char *compress, int max_strm) > > comp->backend = backend; > if (max_strm > 1) > - zcomp_strm_multi_create(comp, max_strm); > + ret = zcomp_strm_multi_create(comp, max_strm); > else > - zcomp_strm_single_create(comp); > - if (!comp->stream) { > + ret = zcomp_strm_single_create(comp); > + if (ret) { > kfree(comp); > return ERR_PTR(-ENOMEM); > } And we could return ERR_PTR(error) rather than fixed -ENOMEM to propagate other errors potentially could be happen in future(ex, crypto support). Of course, we should change description of the function about error return. Thanks.