staging: zram: fix random data read
authorMinchan Kim <minchan@kernel.org>
Fri, 8 Jun 2012 06:39:26 +0000 (15:39 +0900)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 11 Jun 2012 15:59:47 +0000 (08:59 -0700)
fd1a30de makes a bug that it uses (struct page *) as zsmalloc's handle
although it's a uncompressed page so that it can access random page,
return random data or even crashed by get_first_page in zs_map_object.

Cc: Seth Jennings <sjenning@linux.vnet.ibm.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Minchan Kim <minchan@kernel.org>
Acked-by: Nitin Gupta <ngupta@vflare.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/zram/zram_drv.c

index abd69d13d0a1cae8927fcbf09c89d3ff5b7ea883..0cdc303ad5655c43d400d13c799dc94b8644b86f 100644 (file)
@@ -280,26 +280,27 @@ static int zram_read_before_write(struct zram *zram, char *mem, u32 index)
        size_t clen = PAGE_SIZE;
        struct zobj_header *zheader;
        unsigned char *cmem;
+       unsigned long handle = zram->table[index].handle;
 
-       if (zram_test_flag(zram, index, ZRAM_ZERO) ||
-           !zram->table[index].handle) {
+       if (zram_test_flag(zram, index, ZRAM_ZERO) || !handle) {
                memset(mem, 0, PAGE_SIZE);
                return 0;
        }
 
-       cmem = zs_map_object(zram->mem_pool, zram->table[index].handle);
-
        /* Page is stored uncompressed since it's incompressible */
        if (unlikely(zram_test_flag(zram, index, ZRAM_UNCOMPRESSED))) {
-               memcpy(mem, cmem, PAGE_SIZE);
-               kunmap_atomic(cmem);
+               char *src = kmap_atomic((struct page *)handle);
+               memcpy(mem, src, PAGE_SIZE);
+               kunmap_atomic(src);
                return 0;
        }
 
+       cmem = zs_map_object(zram->mem_pool, handle);
+
        ret = lzo1x_decompress_safe(cmem + sizeof(*zheader),
                                    zram->table[index].size,
                                    mem, &clen);
-       zs_unmap_object(zram->mem_pool, zram->table[index].handle);
+       zs_unmap_object(zram->mem_pool, handle);
 
        /* Should NEVER happen. Return bio error if it does. */
        if (unlikely(ret != LZO_E_OK)) {