[RFC PATCH v1 2/8] zram: avoid invalid memory access in zram_exit()

[Jiang Liu]

On Tue 04 Jun 2013 05:03:09 PM CST, Minchan Kim wrote:
> On Mon, Jun 03, 2013 at 11:42:14PM +0800, Jiang Liu wrote:
>> Memory for zram->disk object may have already been freed after returning
>> from destroy_device(zram), then it's unsafe for zram_reset_device(zram)
>> to access zram->disk again.
>>
>> Fix it by holding an extra reference to zram->disk before calling
>> destroy_device(zram).
>>
>> Signed-off-by: Jiang Liu <jiang.liu at huawei.com>
>> ---
>>  drivers/staging/zram/zram_drv.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
>> index e34e3fe..ee6b67d 100644
>> --- a/drivers/staging/zram/zram_drv.c
>> +++ b/drivers/staging/zram/zram_drv.c
>> @@ -727,8 +727,10 @@ static void __exit zram_exit(void)
>>  	for (i = 0; i < num_devices; i++) {
>>  		zram = &zram_devices[i];
>>
>> +		get_disk(zram->disk);
>>  		destroy_device(zram);
>>  		zram_reset_device(zram);
>> +		put_disk(zram->disk);
>
> Can't we simple reverse calling order of above two functions?
>
>         zram_reset_device(zram);
>         destroy_device(zram);
>
Hi Minchan,
     We can't solve this bug by changing the order of the two functions.
If we change the order, it will cause corner cases to zram sysfs 
handler,
which will be hard to solve too.
Regards!
Gerry