| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGVVp+VMHxz2OAooS_t=H0tiNM9_C0zm6kn-d0DP_U14km8a8g@mail.gmail.com>
Date: Wed, 10 Sep 2025 11:03:59 +0800
From: Changhui Zhong <czhong@...hat.com>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Jens Axboe <axboe@...nel.dk>,
Minchan Kim <minchan@...nel.org>, linux-kernel@...r.kernel.org,
linux-block@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCHv2] zram: fix slot write race condition
On Tue, Sep 9, 2025 at 12:52 PM Sergey Senozhatsky
<senozhatsky@...omium.org> wrote:
>
> Parallel concurrent writes to the same zram index result in
> leaked zsmalloc handles. Schematically we can have something
> like this:
>
> CPU0 CPU1
> zram_slot_lock()
> zs_free(handle)
> zram_slot_lock()
> zram_slot_lock()
> zs_free(handle)
> zram_slot_lock()
>
> compress compress
> handle = zs_malloc() handle = zs_malloc()
> zram_slot_lock
> zram_set_handle(handle)
> zram_slot_lock
> zram_slot_lock
> zram_set_handle(handle)
> zram_slot_lock
>
> Either CPU0 or CPU1 zsmalloc handle will leak because zs_free()
> is done too early. In fact, we need to reset zram entry right
> before we set its new handle, all under the same slot lock scope.
>
> Cc: stable@...r.kernel.org
> Reported-by: Changhui Zhong <czhong@...hat.com>
> Closes: https://lore.kernel.org/all/CAGVVp+UtpGoW5WEdEU7uVTtsSCjPN=ksN6EcvyypAtFDOUf30A@mail.gmail.com/
> Fixes: 71268035f5d73 ("zram: free slot memory early during write")
> Signed-off-by: Sergey Senozhatsky <senozhatsky@...omium.org>
> ---
> drivers/block/zram/zram_drv.c | 8 +++-----
> 1 file changed, 3 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
> index 9ac271b82780..78b56cd7698e 100644
> --- a/drivers/block/zram/zram_drv.c
> +++ b/drivers/block/zram/zram_drv.c
> @@ -1788,6 +1788,7 @@ static int write_same_filled_page(struct zram *zram, unsigned long fill,
> u32 index)
> {
> zram_slot_lock(zram, index);
> + zram_free_page(zram, index);
> zram_set_flag(zram, index, ZRAM_SAME);
> zram_set_handle(zram, index, fill);
> zram_slot_unlock(zram, index);
> @@ -1825,6 +1826,7 @@ static int write_incompressible_page(struct zram *zram, struct page *page,
> kunmap_local(src);
>
> zram_slot_lock(zram, index);
> + zram_free_page(zram, index);
> zram_set_flag(zram, index, ZRAM_HUGE);
> zram_set_handle(zram, index, handle);
> zram_set_obj_size(zram, index, PAGE_SIZE);
> @@ -1848,11 +1850,6 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index)
> unsigned long element;
> bool same_filled;
>
> - /* First, free memory allocated to this slot (if any) */
> - zram_slot_lock(zram, index);
> - zram_free_page(zram, index);
> - zram_slot_unlock(zram, index);
> -
> mem = kmap_local_page(page);
> same_filled = page_same_filled(mem, &element);
> kunmap_local(mem);
> @@ -1894,6 +1891,7 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index)
> zcomp_stream_put(zstrm);
>
> zram_slot_lock(zram, index);
> + zram_free_page(zram, index);
> zram_set_handle(zram, index, handle);
> zram_set_obj_size(zram, index, comp_len);
> zram_slot_unlock(zram, index);
> --
> 2.51.0.384.g4c02a37b29-goog
>
Hi, Sergey
Thanks for the patch, I re-ran my test with your patch and confirmed
that your patch fixed this issue.
Tested-by: Changhui Zhong <czhong@...hat.com>
Thanks,
Powered by blists - more mailing lists