Re: [PATCH v3 0/2] zram: fix UAF in zram_bvec_write_partial() and drop dead bio plumbing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Cunlong Li <shenxiaogll@gmail.com>
To: Minchan Kim <minchan@kernel.org>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Jens Axboe <axboe@kernel.dk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Yisheng Xie <xieyisheng1@huawei.com>
Cc: Christoph Hellwig <hch@lst.de>,
	linux-block@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v3 0/2] zram: fix UAF in zram_bvec_write_partial() and drop dead bio plumbing
Date: Thu, 28 May 2026 12:41:11 +0800	[thread overview]
Message-ID: <ahfHZs0j2Zzpp/aq@debian> (raw)
In-Reply-To: <20260528-zram-v3-0-cab86eef8764@gmail.com>

On Thu, May 28, 2026 at 10:48:43AM +0800, Cunlong Li wrote:
> Patch 1 fixes a use-after-free in zram_bvec_write_partial() that
> happens on PAGE_SIZE > 4K configurations when a partial write hits a
> ZRAM_WB slot.
> 
> Patch 2 is a follow-up cleanup that drops the now-unused bio parameter
> from zram_bvec_write_partial() and zram_bvec_write(), no functional
> change.
> 
> Patch 1 is tagged for stable; patch 2 is not.
> 
> Signed-off-by: Cunlong Li <shenxiaogll@gmail.com>
> ---
> Changes in v3:
> - Update Fixes: tag to 8e654f8fbff5 ("zram: read page from backing
>   device") per Christoph.
> - Link to v2: https://lore.kernel.org/r/20260527-zram-v2-0-2fb84b054b5c@gmail.com
> 
> Changes in v2:
> - Add patch 2: drop the now-unused bio parameter from
>   zram_bvec_write_partial() and zram_bvec_write(), per Sergey's
>   suggestion on v1.
> - Link to v1: https://lore.kernel.org/r/20260527-zram-v1-1-ce1acb2bfaf9@gmail.com
> 
> ---
> Cunlong Li (2):
>       zram: fix use-after-free in zram_bvec_write_partial()
>       zram: drop unused bio parameter from write helpers
> 
>  drivers/block/zram/zram_drv.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> ---
> base-commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7
> change-id: 20260526-zram-b01425b7e6c6
> 
> Best regards,
> -- 
> Cunlong Li <shenxiaogll@gmail.com>
> 

Test results for reference:

Tested on arm64 16K-page QEMU (Apple M4, HVF) with KASAN enabled,
kernel v7.1-rc5 (base-commit e8c2f9fdadee).  zram0 backed by a loop
file on ext4, fio bs=4k randrw (4 jobs, 120s) against ext4-on-zram0
with a parallel loop triggering idle writeback.

Without the fix, KASAN fires within seconds:

  BUG: KASAN: use-after-free in copy_folio_from_iter_atomic+0x830/0x18e8
  Read of size 16384 at addr ffff8000d1168000 by task kworker/u16:4/321

  Workqueue: loop0 loop_rootcg_workfn
  Call trace:
   memcpy+0x3c/0x9c
   copy_folio_from_iter_atomic+0x830/0x18e8
   generic_perform_write+0x308/0x558
   ext4_buffered_write_iter+0x140/0x438
   ext4_file_write_iter+0x868/0x1004
   lo_rw_aio.isra.0+0x838/0xc94
   loop_process_work+0x2f8/0xdf0
   loop_rootcg_workfn+0x20/0x2c
   process_one_work+0x560/0xc10

  page: refcount:0 mapcount:0

The async backing-device read bio still references the page after
zram_bvec_write_partial() freed it; the loop worker then writes
into freed memory.

With the series applied, the same workload runs clean for two
minutes with no KASAN reports.

     prev parent reply	other threads:[~2026-05-28  4:41 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-28  2:48 [PATCH v3 0/2] zram: fix UAF in zram_bvec_write_partial() and drop dead bio plumbing Cunlong Li
2026-05-28  2:48 ` [PATCH v3 1/2] zram: fix use-after-free in zram_bvec_write_partial() Cunlong Li
2026-05-28  2:48 ` [PATCH v3 2/2] zram: drop unused bio parameter from write helpers Cunlong Li
2026-05-28  4:41 ` Cunlong Li [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ahfHZs0j2Zzpp/aq@debian \
    --to=shenxiaogll@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=axboe@kernel.dk \
    --cc=hch@lst.de \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=minchan@kernel.org \
    --cc=senozhatsky@chromium.org \
    --cc=stable@vger.kernel.org \
    --cc=xieyisheng1@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.