Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753939AbbFELMI (ORCPT ); Fri, 5 Jun 2015 07:12:08 -0400 Received: from mail-pa0-f51.google.com ([209.85.220.51]:35780 "EHLO mail-pa0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752183AbbFELMF (ORCPT ); Fri, 5 Jun 2015 07:12:05 -0400 From: Sergey Senozhatsky To: Andrew Morton , Minchan Kim Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sergey Senozhatsky , Sergey Senozhatsky Subject: [PATCH] zsmalloc: fix a null pointer dereference in destroy_handle_cache() Date: Fri, 5 Jun 2015 20:11:30 +0900 Message-Id: <1433502690-2524-1-git-send-email-sergey.senozhatsky@gmail.com> X-Mailer: git-send-email 2.4.2.387.gf86f31a Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 998 Lines: 31 zs_destroy_pool()->destroy_handle_cache() invoked from zs_create_pool() can pass a NULL ->handle_cachep pointer to kmem_cache_destroy(), which will dereference it. Signed-off-by: Sergey Senozhatsky --- mm/zsmalloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 33d5126..c766240 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -285,7 +285,8 @@ static int create_handle_cache(struct zs_pool *pool) static void destroy_handle_cache(struct zs_pool *pool) { - kmem_cache_destroy(pool->handle_cachep); + if (pool->handle_cachep) + kmem_cache_destroy(pool->handle_cachep); } static unsigned long alloc_handle(struct zs_pool *pool) -- 2.4.2.387.gf86f31a -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/