From: Sergey Senozhatsky senozhatsky@chromium.org
mainline inclusion from mainline-v6.0-rc3 commit a5d2172180e8f94a8cfc7a7fa0243035629bf8d0 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7TWVA CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
-------------------------------------------
zsmalloc() now returns ERR_PTR values as handles, which zram accidentally can pass to zs_free(). Another bad scenario is when zcomp_compress() fails - handle has default -ENOMEM value, and zs_free() will try to free that "pointer value".
Add the missing check and make sure that zs_free() bails out when ERR_PTR() is passed to it.
Link: https://lkml.kernel.org/r/20220816050906.2583956-1-senozhatsky@chromium.org Fixes: c7e6f17b52e9 ("zsmalloc: zs_malloc: return ERR_PTR on failure") Signed-off-by: Sergey Senozhatsky senozhatsky@chromium.org Cc: Minchan Kim minchan@kernel.org Cc: Nitin Gupta ngupta@vflare.org, Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Jinjiang Tu tujinjiang@huawei.com --- mm/zsmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 540af37bea02..6079f5625abb 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -1526,7 +1526,7 @@ void zs_free(struct zs_pool *pool, unsigned long handle) enum fullness_group fullness; bool isolated;
- if (unlikely(!handle)) + if (IS_ERR_OR_NULL((void *)handle)) return;
pin_tag(handle);