From patchwork Tue Jan 7 06:54:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kairui Song X-Patchwork-Id: 13928303 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1AE1E77197 for ; Tue, 7 Jan 2025 06:55:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 020DF6B00B3; Tue, 7 Jan 2025 01:55:01 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id F13526B00B4; Tue, 7 Jan 2025 01:55:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D8C706B00B7; Tue, 7 Jan 2025 01:55:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id BC59C6B00B3 for ; Tue, 7 Jan 2025 01:55:00 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 4370EAF125 for ; Tue, 7 Jan 2025 06:55:00 +0000 (UTC) X-FDA: 82979743560.08.715B937 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by imf09.hostedemail.com (Postfix) with ESMTP id 67B7E140008 for ; Tue, 7 Jan 2025 06:54:58 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WghH2QOU; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf09.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=ryncsn@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736232898; a=rsa-sha256; cv=none; b=BQL3v1ZitGWaunYTAqAS4BwX5ILUWATi9pWO/DrfxfO7rkLb3nZZTkPR+jPkTA34cM7C1Y 13ZLQUW6KFpfdeKTyQUr8yBAItuQnGJ8V7NoGCmon7WNcT76c5ubyJo1IgycMOcNR8gLeV 8Op5mG4KSrIoUV123nfVuQfnQqEu8ns= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WghH2QOU; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf09.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=ryncsn@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736232898; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=UAGMcbItJcgVx1BJcJubscurgM31sK9kE3pcE4njB+Y=; b=GGWHc/ALfrttC0YUaT6w/2ARkgGyC7S4g8Sv35LNoB2TVhyS1oMkVxrixdLGyqGRFJ7xwi jyZeLLh2hH1blMHMw/2AS37RGvsU11GyY37cW/gYuaEvEfbzYEsarCf8FlzvT6ytSvkR+K /F8TgGA+kFKdI6M/BoMQDNWHyTtlguc= Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-216426b0865so215914195ad.0 for ; Mon, 06 Jan 2025 22:54:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736232896; x=1736837696; darn=kvack.org; h=content-transfer-encoding:mime-version:reply-to:message-id:date :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=UAGMcbItJcgVx1BJcJubscurgM31sK9kE3pcE4njB+Y=; b=WghH2QOU31u7cbgi8lOBA8uOrAx1qIISAvbSrtXMgaYs0c9/W/lYn3IDvxA35Xd3ZO Z0iovvkyv4m8yoFbgwjk1k1zcycmVSDhWTKDWD8pzXiCfHFiHcesDMZ8VJip4j5rMhNC gGilOqy2xjdWT8/2wn1NA7awb5+hQRuQgUvuz7emYOSDpJPB+OocnD7QO7RXYaJtEW0J eyzxzGnCy0fQvt9pDJChew50NeXjjfCWxzZCcyOneg5JH9ffCQ9Qgzey9N1EFGOiRSmM ifOkPS9aOhW8Pv2ToMcnsdB/dw1Ioy5AUkD6HoMhksnlx49ncuPXH+4oDFsfKhgifz5a tw6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736232896; x=1736837696; h=content-transfer-encoding:mime-version:reply-to:message-id:date :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UAGMcbItJcgVx1BJcJubscurgM31sK9kE3pcE4njB+Y=; b=M/BW9cDuACHIhN4mNwSpW7T0PilAGpkwnJqi3isI0iiDnD8RqJDaPSBorGR9/gQZ6s cD+a8WEBPJgYQq/wEZleo0K5VfrsiZgggl8YdyBKeGepn/4rv4agSF7rHSI3vWxhC08S kcJ0+0sfmlBq0CEvrxT07zsNVzY27cAGK0SxgYliKC4P3xYVws4Lj+7zvDrVP3tOWYnp wtehf25fmsErOWQE6Na2ll6G/ALZcpTMidI9fzupGqJkipqfVXxAG/P+mN6ln2H027Bu bKiPDpPK/iTVTYXfxvXiKGOk7/Vxbn0YZdjsS3BYES1SWqrzP8R/irL0hahpL6lnWDjO vDZQ== X-Gm-Message-State: AOJu0Yxknq2wyAFIkaYE6AsSdBEKkgVGPD0I3yZRmJQAAgr5ehTWhl24 +/LpteaecjnzukjxNex1GDeWUW5qF1oEUFuoxWXvkBjczkgFHATm+XCwHYI5 X-Gm-Gg: ASbGncv6JPikDVxxB7NCzOEiMpd5gKkRFGEROn8T77KwIb8xauLS/vZdSQsMKI8QTh3 pWD5DUAOUlnJuVy0kgTNgBqhlaX7q+sxKXJboMsm6nzqarPKL0Pa7MIYDppvMyr1++DkMKOPjxO hC27mWfeBdKZvQ8PEUzud0Aj2MIbMNLQ5UWQNux5x0iaHU/0L7KUre5i1svQXxPoMQZUMTZmVIF 5Yuu3rjn7AWN7+uxc/SI1pLJT2axxtEPWHT7wI49wNQ2Z1y9AujNwKHR+m9UyRGapjnJJpJ001A WDcQoL1p2FU= X-Google-Smtp-Source: AGHT+IH/rokoDHhdWH70D8pzZfQjuA3uS056hYXnmvp8qqmn4tHgv2fW5pCbgpVbtlqmIXl+0w3e8w== X-Received: by 2002:aa7:8895:0:b0:71e:2a0:b0b8 with SMTP id d2e1a72fcca58-72abdd3c48emr83145233b3a.1.1736232896082; Mon, 06 Jan 2025 22:54:56 -0800 (PST) Received: from KASONG-MC4.tencent.com ([43.132.141.20]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad90b338sm32692136b3a.174.2025.01.06.22.54.53 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 06 Jan 2025 22:54:55 -0800 (PST) From: Kairui Song To: linux-mm@kvack.org Cc: Minchan Kim , Sergey Senozhatsky , Andrew Morton , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Kairui Song , stable@vger.kernel.org Subject: [PATCH] zram: fix potential UAF of zram table Date: Tue, 7 Jan 2025 14:54:46 +0800 Message-ID: <20250107065446.86928-1-ryncsn@gmail.com> X-Mailer: git-send-email 2.47.1 Reply-To: Kairui Song MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 67B7E140008 X-Stat-Signature: mg5ho37ehwz6osbm5ejioy8t6jmj4h1g X-HE-Tag: 1736232898-316036 X-HE-Meta: U2FsdGVkX1+WkCHp35mv+GyjXHn3222lfk8z/Mpq4dPbqFoxeWNhpNmDwZ324e/UbPur6Ax/hdY41pTtZKfcLZ7Ek4SdvDURLz+oj4uPSNSRd0T4cB2PG8LQNx1SK9g50FEh4It4Z44Ak/GOw78QKzfBy0yHJ6cZDkK7pHgBZlgNioqkxFThi00CKkt3Sm90LtkCu4s5hDunae44DZlIlAAY3H/RhAl30yHtaEAjAQQiemRO4QCRl6pvI2xDxAzjbzf5Yxdiql/ZKVrFUiP2irsCF+JOMqd4e4A/13cbM+wNx/K8d8KQJ4rWvR1Qa83mbkrGok4nIHwqhf5gu6JACVnoZKS1B+ncQogt27aD94MBUHWaw/dELWvSCGQFAtc0/e7MuVEsjd8j/2ic8qAtV+OJXnjXf1Zu1oC0lml5HmqADCb6hG5q30eXC1+cp1Oiw1Adfg0zSiW+e0Uztv5imILZtQymcaXpjODTuvdKgqCddn8dLO6qR9s4MG4ex160T9V/rDbAKgIvSkyQ/qQLDQhNnzdx90jx7O2q49Xln2lEI7Lr2/EHqq55piskNxT0oAaDXZ0IytDl+lE3q5imheZiYkuVfgkNL/T+wX4d7YqmOOUMG4zEDUtw6Z7cBKi6uDoKLSqowICr7qmXbbq0O4VX1Gw/lUhop62tTRKly8RKT7h9nz19opv7E/BCxAnpmea7YPkDiwfpCsz66z3ddRNCJUKM14o44HRF/9YCErw9jTkz7204h3Y9nPSsMJgiqKevbS03BZyGZZ5/eo3F/zpDeNgvvjA/eJiwUEM08jl6oO2EX4FgHSJH6y72k5WHVaS265QS9mi5h3PQlefURqBW8617gc0xy9x4oWV6kWN5zd68u1r5VpZYmW5b2rtZLjOX3cT3UJDANKWg25FzTMoO+uHomBgvNNDnrbO+aM17xeyPjcSmRmXFKMVdk4r4MRbo+EQNcsYFUkjwNsd +m3umRpg QW7oCXuiS1X+YzqjypXkaFZ+gfzvdUgp0nw1DpPW1HIv/d7Izpgd5rBHxLlxa3xBpD0g8V/xq1SwU/5PutaB/NUfnKzd1qTtKA2Gl7zuT5TujDqA9RUHTmQJTM1Ie0O/bWXPrMbxkya6CwSUVC+1WtF1DAQSVRe6BfX41hYIltboFdOIX6u+CH4A2KiV12VjSPrIBQs6O4elt/+KNoGwakFvlT+kFe5VIl/tijzEg5AF3WgAkM5yxdnauuUS1fhkxI7bI36CYsYtbjHwDh5plWa513nO6FqaFPAteo6JcWl1rtdxmL+hMbUKNIwYHoq1oh/RQS4EPYwDvqNC/GhXPz2iTdyfF0+GE5hdq5fV11U6OZ2jfMoETYsqWz1PxJXuD6sUtv2ntp4OFaiPWv1psxE3WTqQB93Y86dJtrWHvfWZMc2ZITQAImUQTb+IxKi3B3lddl3jW/TifuvlBO68lV/XMY5nKLHXxMIAMUca3z8SqTSEcfJ4qnEmV0yxhbbcItLRP4aNMMTq+NIDs/LW9JtR1TQbbvetYKoDhmOXrUBePhchE1eS7VvTbmn0XbBuf1o7e X-Bogosity: Ham, tests=bogofilter, spamicity=0.005516, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Kairui Song If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. Fixes: 74363ec674cb ("zram: fix uninitialized ZRAM not releasing backing device") Cc: Signed-off-by: Kairui Song Reviewed-by: Sergey Senozhatsky --- drivers/block/zram/zram_drv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 5b8e4f4171ab..70ecaee25c20 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1465,6 +1465,7 @@ static bool zram_meta_alloc(struct zram *zram, u64 disksize) zram->mem_pool = zs_create_pool(zram->disk->disk_name); if (!zram->mem_pool) { vfree(zram->table); + zram->table = NULL; return false; }