On 25/08/05 07:22PM, Sergey Senozhatsky wrote:
> On (25/08/03 02:25), Seyediman Seyedarab wrote:
> > Temporarily add a NULL check in zcomp_available_show() to prevent the
> > crash. The use-after-free issue requires a more comprehensive fix using
> > proper reference counting to ensure the zram structure isn't freed while
> > still in use.
>
> Not without a reproducer, sorry. Per my limited experience, attempts
> to fix syzkaller reports w/o reproducers often lead to regressions or
> just more problems.
It can be reproduced with the following code:
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
int main()
{
int hot_remove_fd, comp_alg_fd, disksize_fd;
char buf[256];
system("modprobe -r zram");
system("modprobe zram");
disksize_fd = open("/sys/block/zram0/disksize", O_WRONLY);
if (disksize_fd >= 0) {
write(disksize_fd, "1073741824", 10);
close(disksize_fd);
}
hot_remove_fd = open("/sys/class/zram-control/hot_remove", O_WRONLY);
comp_alg_fd = open("/sys/block/zram0/comp_algorithm", O_RDONLY);
write(hot_remove_fd, "0", 1);
for (int i = 0; i < 1000000; i++) {
lseek(comp_alg_fd, 0, SEEK_SET);
read(comp_alg_fd, buf, sizeof(buf));
printf("comp_algorithm: %s", buf);
}
}
Which produces corrupted output sometimes. (it's a race condition, so it
doesn't happen all the time...)
