[3.8.y.z,extended,stable] Patch "zram: protect sysfs handler from invalid memory access" has been added to staging queue

Message ID 1373387286-21023-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques July 9, 2013, 4:28 p.m.
This is a note to let you know that I have just added a patch titled

    zram: protect sysfs handler from invalid memory access

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From 13a9ce91021b81ead5e38106d960b6b31266e529 Mon Sep 17 00:00:00 2001
From: Jiang Liu <liuj97@gmail.com>
Date: Fri, 7 Jun 2013 00:07:27 +0800
Subject: [PATCH] zram: protect sysfs handler from invalid memory access

commit 5863e10b441e7ea4b492f930f1be180a97d026f3 upstream.

Use zram->init_lock to protect access to zram->meta, otherwise it
may cause invalid memory access if zram->meta has been freed by

This issue may be triggered by:
Thread 1:
while true; do cat mem_used_total; done
Thread 2:
while true; do echo 8M > disksize; echo 1 > reset; done

Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ luis: backported to 3.8:
  - protect access to zram->mem_pool instead of zram->meta ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
 drivers/staging/zram/zram_sysfs.c | 2 ++
 1 file changed, 2 insertions(+)



diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c
index de1eacf..c07687e 100644
--- a/drivers/staging/zram/zram_sysfs.c
+++ b/drivers/staging/zram/zram_sysfs.c
@@ -186,8 +186,10 @@  static ssize_t mem_used_total_show(struct device *dev,
 	u64 val = 0;
 	struct zram *zram = dev_to_zram(dev);

+	down_read(&zram->init_lock);
 	if (zram->init_done)
 		val = zs_get_total_size_bytes(zram->mem_pool);
+	up_read(&zram->init_lock);

 	return sprintf(buf, "%llu\n", val);