[next] mm/zswap: fix potential uninitialized pointer read on tmp
diff mbox series

Message ID 20210128141728.639030-1-colin.king@canonical.com
State In Next
Commit 1af9eb7fc47cc670b9c8553b694266348b978aec
Headers show
Series
  • [next] mm/zswap: fix potential uninitialized pointer read on tmp
Related show

Commit Message

Colin King Jan. 28, 2021, 2:17 p.m. UTC
From: Colin Ian King <colin.king@canonical.com>

In the case where zpool_can_sleep_mapped(pool) returns 0
then tmp is not allocated and tmp is then an uninitialized
pointer. Later if entry is null, tmp is freed, hence free'ing
an uninitialized pointer. Fix this by ensuring tmp is initialized
to NULL.

Addresses-Coverity: ("Uninitialized pointer read")
Fixes: 908aa806dba0 ("mm/zswap: fix potential memory leak")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 mm/zswap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Vlastimil Babka Jan. 28, 2021, 3:18 p.m. UTC | #1
On 1/28/21 3:17 PM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> In the case where zpool_can_sleep_mapped(pool) returns 0
> then tmp is not allocated and tmp is then an uninitialized
> pointer. Later if entry is null, tmp is freed, hence free'ing
> an uninitialized pointer. Fix this by ensuring tmp is initialized
> to NULL.
> 
> Addresses-Coverity: ("Uninitialized pointer read")
> Fixes: 908aa806dba0 ("mm/zswap: fix potential memory leak")

That's a linux-next hash, patch is in mmotm [1] *) You know what it means...

*) actually it's not there, yet it is in -next. What's going on?

[1]
https://ozlabs.org/~akpm/mmotm/broken-out/mm-zswap-fix-potential-memory-leak.patch

> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  mm/zswap.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/zswap.c b/mm/zswap.c
> index 8d1381b1178d..578d9f256920 100644
> --- a/mm/zswap.c
> +++ b/mm/zswap.c
> @@ -935,7 +935,7 @@ static int zswap_writeback_entry(struct zpool *pool, unsigned long handle)
>  	struct scatterlist input, output;
>  	struct crypto_acomp_ctx *acomp_ctx;
>  
> -	u8 *src, *tmp;
> +	u8 *src, *tmp = NULL;
>  	unsigned int dlen;
>  	int ret;
>  	struct writeback_control wbc = {
>
Andrew Morton Jan. 28, 2021, 8:51 p.m. UTC | #2
On Thu, 28 Jan 2021 16:18:23 +0100 Vlastimil Babka <vbabka@suse.cz> wrote:

> On 1/28/21 3:17 PM, Colin King wrote:
> > From: Colin Ian King <colin.king@canonical.com>
> > 
> > In the case where zpool_can_sleep_mapped(pool) returns 0
> > then tmp is not allocated and tmp is then an uninitialized
> > pointer. Later if entry is null, tmp is freed, hence free'ing
> > an uninitialized pointer. Fix this by ensuring tmp is initialized
> > to NULL.
> > 
> > Addresses-Coverity: ("Uninitialized pointer read")
> > Fixes: 908aa806dba0 ("mm/zswap: fix potential memory leak")
> 
> That's a linux-next hash, patch is in mmotm [1] *) You know what it means...
> 
> *) actually it's not there, yet it is in -next. What's going on?
> 
> [1]
> https://ozlabs.org/~akpm/mmotm/broken-out/mm-zswap-fix-potential-memory-leak.patch

The containing file was renamed to
https://ozlabs.org/~akpm/mmotm/broken-out/mm-zswap-add-the-flag-can_sleep_mapped-fix-2.patch,
since it's a fix against mm-zswap-add-the-flag-can_sleep_mapped.patch.

And this patch's containing file will of course be
mm-zswap-add-the-flag-can_sleep_mapped-fix-3.patch.

Patch
diff mbox series

diff --git a/mm/zswap.c b/mm/zswap.c
index 8d1381b1178d..578d9f256920 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -935,7 +935,7 @@  static int zswap_writeback_entry(struct zpool *pool, unsigned long handle)
 	struct scatterlist input, output;
 	struct crypto_acomp_ctx *acomp_ctx;
 
-	u8 *src, *tmp;
+	u8 *src, *tmp = NULL;
 	unsigned int dlen;
 	int ret;
 	struct writeback_control wbc = {