From: Sergey Senozhatsky <senozhatsky@chromium.org> mainline inclusion from mainline-v6.0-rc3 commit a5d2172180e8f94a8cfc7a7fa0243035629bf8d0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7TWVA CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... ------------------------------------------- zsmalloc() now returns ERR_PTR values as handles, which zram accidentally can pass to zs_free(). Another bad scenario is when zcomp_compress() fails - handle has default -ENOMEM value, and zs_free() will try to free that "pointer value". Add the missing check and make sure that zs_free() bails out when ERR_PTR() is passed to it. Link: https://lkml.kernel.org/r/20220816050906.2583956-1-senozhatsky@chromium.org Fixes: c7e6f17b52e9 ("zsmalloc: zs_malloc: return ERR_PTR on failure") Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Cc: Minchan Kim <minchan@kernel.org> Cc: Nitin Gupta <ngupta@vflare.org>, Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- mm/zsmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 540af37bea02..6079f5625abb 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1526,7 +1526,7 @@ void zs_free(struct zs_pool *pool, unsigned long handle) enum fullness_group fullness; bool isolated; - if (unlikely(!handle)) + if (IS_ERR_OR_NULL((void *)handle)) return; pin_tag(handle); -- 2.25.1