From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754256AbbIHK0b (ORCPT ); Tue, 8 Sep 2015 06:26:31 -0400 Received: from mail-pa0-f45.google.com ([209.85.220.45]:35491 "EHLO mail-pa0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753343AbbIHK02 (ORCPT ); Tue, 8 Sep 2015 06:26:28 -0400 Date: Tue, 8 Sep 2015 19:27:11 +0900 From: Sergey Senozhatsky To: Andrew Morton Cc: Luis Henriques , Minchan Kim , linux-kernel@vger.kernel.org, Sergey Senozhatsky , Sergey Senozhatsky Subject: Re: [PATCH v3] zram: fix possible use after free in zcomp_create() Message-ID: <20150908102711.GB29901@swordfish> References: <20150908013429.GC19776@bbox> <1441705168-14682-1-git-send-email-luis.henriques@canonical.com> <20150908095652.GA29901@swordfish> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150908095652.GA29901@swordfish> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On (09/08/15 18:56), Sergey Senozhatsky wrote: > On (09/08/15 10:39), Luis Henriques wrote: > > zcomp_create() verifies the success of zcomp_strm_{multi,siggle}_create() > > through comp->stream, which can potentially be pointing to memory that was > > freed if these functions returned an error. > > > > While at it, replace a 'ERR_PTR(-ENOMEM)' by a more generic > > 'ERR_PTR(error)' as in the future zcomp_strm_{multi,siggle}_create() could > > return other error codes. Function documentation updated accordingly. > > Oh...forgot to Cc Andrew Andrew, please disregard V2 of this patch. V3 Acked-by: Sergey Senozhatsky -ss > > --- > > > > Changes since v2: > > * Renamed local variable 'ret' to 'error' > > * Usage of 'ERR_PTR(error)' to accommodate future error codes returned by > > zcomp_strm_{multi,siggle}_create > > (all suggested by Minchan) > > > > Changes since v1: > > * Check zcomp_strm_{multi,siggle}_create() return code instead > > comp->stream (suggested by Sergey) > > > > drivers/block/zram/zcomp.c | 12 +++++++----- > > 1 file changed, 7 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/block/zram/zcomp.c b/drivers/block/zram/zcomp.c > > index 965d1afb0eaa..5cb13ca3a3ac 100644 > > --- a/drivers/block/zram/zcomp.c > > +++ b/drivers/block/zram/zcomp.c > > @@ -330,12 +330,14 @@ void zcomp_destroy(struct zcomp *comp) > > * allocate new zcomp and initialize it. return compressing > > * backend pointer or ERR_PTR if things went bad. ERR_PTR(-EINVAL) > > * if requested algorithm is not supported, ERR_PTR(-ENOMEM) in > > - * case of allocation error. > > + * case of allocation error, or any other error potentially > > + * returned by functions zcomp_strm_{multi,single}_create. > > */ > > struct zcomp *zcomp_create(const char *compress, int max_strm) > > { > > struct zcomp *comp; > > struct zcomp_backend *backend; > > + int error; > > > > backend = find_backend(compress); > > if (!backend) > > @@ -347,12 +349,12 @@ struct zcomp *zcomp_create(const char *compress, int max_strm) > > > > comp->backend = backend; > > if (max_strm > 1) > > - zcomp_strm_multi_create(comp, max_strm); > > + error = zcomp_strm_multi_create(comp, max_strm); > > else > > - zcomp_strm_single_create(comp); > > - if (!comp->stream) { > > + error = zcomp_strm_single_create(comp); > > + if (error) { > > kfree(comp); > > - return ERR_PTR(-ENOMEM); > > + return ERR_PTR(error); > > } > > return comp; > > } > > >