summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiang Liu <liuj97@gmail.com>2013-06-07 00:07:22 +0800
committerBen Hutchings <ben@decadent.org.uk>2013-07-27 05:34:06 +0100
commitfd162a76f16083157e32fe5f488f39a319b93fad (patch)
treeae01977f6a5088b3f78b9e7fbbd73542b5e71425
parent4e9169bee6bc9870277539a425c528584212e76c (diff)
downloadlwn-fd162a76f16083157e32fe5f488f39a319b93fad.tar.gz
lwn-fd162a76f16083157e32fe5f488f39a319b93fad.zip
zram: avoid invalid memory access in zram_exit()
commit 6030ea9b35971a4200062f010341ab832e878ac9 upstream. Memory for zram->disk object may have already been freed after returning from destroy_device(zram), then it's unsafe for zram_reset_device(zram) to access zram->disk again. We can't solve this bug by flipping the order of destroy_device(zram) and zram_reset_device(zram), that will cause deadlock issues to the zram sysfs handler. So fix it by holding an extra reference to zram->disk before calling destroy_device(zram). Signed-off-by: Jiang Liu <jiang.liu@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat
-rw-r--r--drivers/staging/zram/zram_drv.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 2594a313d258..e87af2914ddc 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -846,9 +846,11 @@ static void __exit zram_exit(void)
for (i = 0; i < zram_num_devices; i++) {
zram = &zram_devices[i];
+ get_disk(zram->disk);
destroy_device(zram);
if (zram->init_done)
zram_reset_device(zram);
+ put_disk(zram->disk);
}
unregister_blkdev(zram_major, "zram");