Re: [PATCH] Re:[PATCH v3] zram: fix use-after-free in zram_writeback_endio

Next message: Lukasz Raczylo: "[PATCH net-next v2 2/3] net: macb: insert PCIe read barrier before TX completion descriptor check"
Previous message: Sean Christopherson: "[PATCH v2 08/15] KVM: x86: Add mode-aware versions of kvm_&lt;reg&gt;_{read,write}() helpers"
In reply to: wang wei: "[PATCH] Re:[PATCH v3] zram: fix use-after-free in zram_writeback_endio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Minchan Kim

Date: Thu May 14 2026 - 18:02:47 EST

On Wed, May 13, 2026 at 10:02:18PM +0800, wang wei wrote:
> >@@ -847,7 +849,7 @@ static void release_wb_ctl(struct zram_wb_ctl *wb_ctl)
> > release_wb_req(req);
> > }
> >
> >- kfree(wb_ctl);
> >+ kfree_rcu(wb_ctl, rcu);
> > }
>
> Do we need to add a 'rcu_assign_pointer(wb_ctl, NULL);' before 'kfree_rcu(wb_ctl, rcu)'?
>
> Signed-off-by: wang wei <a929244872@xxxxxxx>

Why do we need it?

My understanding is rcu_assign_pointer() is typically used to publish NULL to
a shared pointer variable so that future RCU readers (using rcu_dereference)
won't access the object before kfree_rcu().

However, in our case, wb_ctl is not stored in any shared pointer variable.
It is a local variable in writeback_store() and RCU readers (zram_writeback_endio)
do not look up wb_ctl from a shared pointer. They obtain it directly from
bio->bi_private of the specific bio they are completing.

Please let me know if I missed anything.