On Tue 04 Jun 2013 05:03:09 PM CST, Minchan Kim wrote:
> On Mon, Jun 03, 2013 at 11:42:14PM +0800, Jiang Liu wrote:
>> Memory for zram->disk object may have already been freed after returning
>> from destroy_device(zram), then it's unsafe for zram_reset_device(zram)
>> to access zram->disk again.
>>
>> Fix it by holding an extra reference to zram->disk before calling
>> destroy_device(zram).
>>
>> Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
>> ---
>> drivers/staging/zram/zram_drv.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>> index e34e3fe..ee6b67d 100644
>> --- a/drivers/staging/zram/zram_drv.c
>> +++ b/drivers/staging/zram/zram_drv.c
>> @@ -727,8 +727,10 @@ static void __exit zram_exit(void)
>> for (i = 0; i < num_devices; i++) {
>> zram = &zram_devices[i];
>>
>> + get_disk(zram->disk);
>> destroy_device(zram);
>> zram_reset_device(zram);
>> + put_disk(zram->disk);
>
> Can't we simple reverse calling order of above two functions?
>
> zram_reset_device(zram);
> destroy_device(zram);
>
Hi Minchan,
We can't solve this bug by changing the order of the two functions.
If we change the order, it will cause corner cases to zram sysfs
handler,
which will be hard to solve too.
Regards!
Gerry
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
