Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 374a6919 authored by Minchan Kim's avatar Minchan Kim Committed by Greg Kroah-Hartman
Browse files

staging: zram: fix random data read 



fd1a30de makes a bug that it uses (struct page *) as zsmalloc's handle
although it's a uncompressed page so that it can access random page,
return random data or even crashed by get_first_page in zs_map_object.

Cc: Seth Jennings <sjenning@linux.vnet.ibm.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: default avatarMinchan Kim <minchan@kernel.org>
Acked-by: default avatarNitin Gupta <ngupta@vflare.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c2344348

drivers/staging/zram/zram_drv.c

+8 −7
Original line number Diff line number Diff line
@@ -280,26 +280,27 @@ static int zram_read_before_write(struct zram *zram, char *mem, u32 index) 
	size_t clen = PAGE_SIZE;

	struct zobj_header *zheader;

	unsigned char *cmem;

	unsigned long handle = zram->table[index].handle;



	if (zram_test_flag(zram, index, ZRAM_ZERO) ||

	    !zram->table[index].handle) {

	if (zram_test_flag(zram, index, ZRAM_ZERO) || !handle) {

		memset(mem, 0, PAGE_SIZE);

		return 0;

	}



	cmem = zs_map_object(zram->mem_pool, zram->table[index].handle);



	/* Page is stored uncompressed since it's incompressible */

	if (unlikely(zram_test_flag(zram, index, ZRAM_UNCOMPRESSED))) {

		memcpy(mem, cmem, PAGE_SIZE);

		kunmap_atomic(cmem);

		char *src = kmap_atomic((struct page *)handle);

		memcpy(mem, src, PAGE_SIZE);

		kunmap_atomic(src);

		return 0;

	}



	cmem = zs_map_object(zram->mem_pool, handle);



	ret = lzo1x_decompress_safe(cmem + sizeof(*zheader),

				    zram->table[index].size,

				    mem, &clen);

	zs_unmap_object(zram->mem_pool, zram->table[index].handle);

	zs_unmap_object(zram->mem_pool, handle);



	/* Should NEVER happen. Return bio error if it does. */

	if (unlikely(ret != LZO_E_OK)) {