Patchwork [3.8.y.z,extended,stable] Patch "zram: protect sysfs handler from invalid memory access" has been added to staging queue

mail settings
Submitter Luis Henriques
Date July 9, 2013, 4:28 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/257756/
State New
Headers show


Luis Henriques - July 9, 2013, 4:28 p.m.
This is a note to let you know that I have just added a patch titled

    zram: protect sysfs handler from invalid memory access

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.8.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From 13a9ce91021b81ead5e38106d960b6b31266e529 Mon Sep 17 00:00:00 2001
From: Jiang Liu <>
Date: Fri, 7 Jun 2013 00:07:27 +0800
Subject: [PATCH] zram: protect sysfs handler from invalid memory access

commit 5863e10b441e7ea4b492f930f1be180a97d026f3 upstream.

Use zram->init_lock to protect access to zram->meta, otherwise it
may cause invalid memory access if zram->meta has been freed by

This issue may be triggered by:
Thread 1:
while true; do cat mem_used_total; done
Thread 2:
while true; do echo 8M > disksize; echo 1 > reset; done

Signed-off-by: Jiang Liu <>
Acked-by: Minchan Kim <>
Signed-off-by: Greg Kroah-Hartman <>
[ luis: backported to 3.8:
  - protect access to zram->mem_pool instead of zram->meta ]
Signed-off-by: Luis Henriques <>
 drivers/staging/zram/zram_sysfs.c | 2 ++
 1 file changed, 2 insertions(+)



diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c
index de1eacf..c07687e 100644
--- a/drivers/staging/zram/zram_sysfs.c
+++ b/drivers/staging/zram/zram_sysfs.c
@@ -186,8 +186,10 @@  static ssize_t mem_used_total_show(struct device *dev,
 	u64 val = 0;
 	struct zram *zram = dev_to_zram(dev);

+	down_read(&zram->init_lock);
 	if (zram->init_done)
 		val = zs_get_total_size_bytes(zram->mem_pool);
+	up_read(&zram->init_lock);

 	return sprintf(buf, "%llu\n", val);