| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260209231652.1806289-1-joshua.hahnjy@gmail.com>
Date: Mon, 9 Feb 2026 15:16:52 -0800
From: Joshua Hahn <joshua.hahnjy@...il.com>
To: Joshua Hahn <joshua.hahnjy@...il.com>
Cc: Minchan Kim <minchan@...nel.org>,
Michael Fara <mjfara@...il.com>,
senozhatsky@...omium.org,
linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
akpm@...ux-foundation.org
Subject: Re: [PATCH] mm/zsmalloc: fix NULL pointer dereference in get_next_zpdesc
I just noticed that Minchan wasn't Cc-ed in the patch. Adding him to the
conversation here.
On Mon, 9 Feb 2026 14:50:16 -0800 Joshua Hahn <joshua.hahnjy@...il.com> wrote:
> On Mon, 9 Feb 2026 19:32:57 +0000 Michael Fara <mjfara@...il.com> wrote:
>
> Hello Michael,
>
> I hope you are doing well! Thank you for the patch. I'm not entirely sure if
> the race condition that you note here is correct, and also if this is the
> right fix.
>
> > get_next_zpdesc() calls get_zspage() which unconditionally dereferences
> > zpdesc->zspage without a NULL check. This causes a kernel oops when
> > zpdesc->zspage has been set to NULL by reset_zpdesc() during a race
> > between zspage destruction and page compaction/migration.
[...snip...]
Should we add a Fixes tag here as well?
> > Signed-off-by: Michael Fara <mjfara@...il.com>
> > ---
> > mm/zsmalloc.c | 14 +++++++++++++-
> > 1 file changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
> > --- a/mm/zsmalloc.c
> > +++ b/mm/zsmalloc.c
> > @@ -735,7 +735,19 @@ static struct zspage *get_zspage(struct zpdesc *zpdesc)
> >
> > static struct zpdesc *get_next_zpdesc(struct zpdesc *zpdesc)
> > {
> > - struct zspage *zspage = get_zspage(zpdesc);
> > + struct zspage *zspage = zpdesc->zspage;
> > +
> > + /*
> > + * If the backpointer is NULL, this zpdesc was already freed via
> > + * reset_zpdesc() by a racing async_free_zspage() while isolated
> > + * for compaction. See the TODO comment in zs_page_migrate().
> > + */
> > + if (unlikely(!zspage)) {
> > + WARN_ON_ONCE(1);
> > + return NULL;
> > + }
> > +
> > + BUG_ON(zspage->magic != ZSPAGE_MAGIC);
> >
> > if (unlikely(ZsHugePage(zspage)))
> > return NULL;
> > --
> > 2.39.0
Powered by blists - more mailing lists