From: Ming Lei ming.lei@redhat.com
mainline inclusion from mainline-v5.16-rc1 commit 6f1637795f2827d36aec9e0246487f5852e8abf7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7TWVA CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
-------------------------------------------
When the ->init_lock is released in zram_reset_device(), disksize_store() can come in and try to allocate meta, but zram_reset_device() is freeing free meta, so cause races.
Link: https://lore.kernel.org/linux-block/20210927163805.808907-1-mcgrof@kernel.or... Reported-by: Luis Chamberlain mcgrof@kernel.org Reviewed-by: Luis Chamberlain mcgrof@kernel.org Signed-off-by: Ming Lei ming.lei@redhat.com Acked-by: Minchan Kim minchan@kernel.org Link: https://lore.kernel.org/r/20211025025426.2815424-2-ming.lei@redhat.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Jinjiang Tu tujinjiang@huawei.com --- drivers/block/zram/zram_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 40df7f994b89..56074ac5bd12 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1703,12 +1703,13 @@ static void zram_reset_device(struct zram *zram) set_capacity(zram->disk, 0); part_stat_set_all(&zram->disk->part0, 0);
- up_write(&zram->init_lock); /* I/O operation under all of CPU are done so let's free */ zram_meta_free(zram, disksize); memset(&zram->stats, 0, sizeof(zram->stats)); zcomp_destroy(comp); reset_bdev(zram); + + up_write(&zram->init_lock); }
static ssize_t disksize_store(struct device *dev,