On Fri, 5 Jun 2015 20:11:30 +0900 Sergey Senozhatsky <sergey.senozhatsky@xxxxxxxxx> wrote:
> zs_destroy_pool()->destroy_handle_cache() invoked from
> zs_create_pool() can pass a NULL ->handle_cachep pointer
> to kmem_cache_destroy(), which will dereference it.
>
That's slightly lacking in details (under what circumstances will it
crash) so I changed it to
: If zs_create_pool()->create_handle_cache()->kmem_cache_create() fails,
: zs_create_pool()->destroy_handle_cache() will dereference the NULL
: pool->handle_cachep.
:
: Modify destroy_handle_cache() to avoid this.
> ...
>
> --- a/mm/zsmalloc.c
> +++ b/mm/zsmalloc.c
> @@ -285,7 +285,8 @@ static int create_handle_cache(struct zs_pool *pool)
>
> static void destroy_handle_cache(struct zs_pool *pool)
> {
> - kmem_cache_destroy(pool->handle_cachep);
> + if (pool->handle_cachep)
> + kmem_cache_destroy(pool->handle_cachep);
> }
>
> static unsigned long alloc_handle(struct zs_pool *pool)
I'll apply this, but... from a bit of grepping I'm estimating that we
have approximately 200 instances of
if (foo)
kmem_cache_destroy(foo);
so obviously kmem_cache_destroy() should be doing the check.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>