Re: [PATCH v2 1/2] zram: fix use-after-free in zram_bvec_write_partial()

Next message: Steven Rostedt: "Re: [PATCH v2] perf/ftrace: Fix WARNING in __unregister_ftrace_function"
Previous message: Thorsten Blum: "[PATCH] crypto: powerpc/aes - use min in ppc_{ecb,cbc,ctr,xts}_crypt"
In reply to: Christoph Hellwig: "Re: [PATCH v2 1/2] zram: fix use-after-free in zram_bvec_write_partial()"
Next in thread: Cunlong Li: "[PATCH v2 2/2] zram: drop unused bio parameter from write helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cunlong Li

Date: Wed May 27 2026 - 10:20:47 EST

On Wed, May 27, 2026 at 09:24:14AM +0200, Christoph Hellwig wrote:
> On Wed, May 27, 2026 at 12:49:24PM +0800, Cunlong Li wrote:
> > zram_read_page() picks the sync or async backing device read path
> > based on whether the parent bio is NULL. zram_bvec_write_partial()
> > passes its parent bio down, so for ZRAM_WB slots the read is
> > dispatched asynchronously and zram_read_page() returns 0 while the
> > bio is still in flight. The caller then runs memcpy_from_bvec(),
> > zram_write_page() and __free_page() on the buffer, leaving the
> > async read to write into a freed page.
> >
> > zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d
> > ("zram: fix synchronous reads") for the same reason; the
> > write_partial counterpart was missed.
> >
> > Fixes: 4e3c87b9421d ("zram: fix synchronous reads")
>
> That's just the last patch touching the line. This bio chaining goes
> further back. AFAICS all the way to introducing backing device support
> in: 8e654f8fbff5 ("zram: read page from backing device")

You're right, thanks for catching this -- will fix in v3 with:

Fixes: 8e654f8fbff5 ("zram: read page from backing device")

>
> The patch itself looks good, though:
>
> Reviewed-by: Christoph Hellwig <hch@xxxxxx>