[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20250803062519.35712-1-ImanDevel@gmail.com>
Date: Sun, 3 Aug 2025 02:25:19 -0400
From: Seyediman Seyedarab <imandevel@...il.com>
To: minchan@...nel.org,
senozhatsky@...omium.org,
axboe@...nel.dk
Cc: linux-kernel@...r.kernel.org,
linux-block@...r.kernel.org,
Seyediman Seyedarab <ImanDevel@...il.com>,
syzbot+1a281a451fd8c0945d07@...kaller.appspotmail.com
Subject: [PATCH] zram: fix NULL pointer dereference in zcomp_available_show()
During zram_reset_device(), comp_algs[prio] is set to NULL by
zram_destroy_comps() before being reinitialized to the default algorithm.
A concurrent sysfs read can occur between these operations, passing NULL
to strcmp() and causing a crash.
Additionally, there's a use-after-free race where zram_remove() frees the
zram structure while concurrent sysfs operations may still be accessing
it. This is because del_gendisk() doesn't wait for active sysfs operations
to complete - it only removes the files from the filesystem but doesn't
drain active references.
Temporarily add a NULL check in zcomp_available_show() to prevent the
crash. The use-after-free issue requires a more comprehensive fix using
proper reference counting to ensure the zram structure isn't freed while
still in use.
Fixes: e46b8a030d76 ("zram: make compression algorithm selection possible")
Reported-by: syzbot+1a281a451fd8c0945d07@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1a281a451fd8c0945d07
Signed-off-by: Seyediman Seyedarab <ImanDevel@...il.com>
---
drivers/block/zram/zcomp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/zram/zcomp.c b/drivers/block/zram/zcomp.c
index b1bd1daa0060..98a2a3199ba2 100644
--- a/drivers/block/zram/zcomp.c
+++ b/drivers/block/zram/zcomp.c
@@ -95,7 +95,7 @@ ssize_t zcomp_available_show(const char *comp, char *buf, ssize_t at)
int i;
for (i = 0; i < ARRAY_SIZE(backends) - 1; i++) {
- if (!strcmp(comp, backends[i]->name)) {
+ if (comp && !strcmp(comp, backends[i]->name)) {
at += sysfs_emit_at(buf, at, "[%s] ",
backends[i]->name);
} else {
--
2.50.1
Powered by blists - more mailing lists