[PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup

linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup
@ 2025-11-20 16:26 Giovanni Cabiddu
  2025-11-24  9:51 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Giovanni Cabiddu @ 2025-11-20 16:26 UTC (permalink / raw)
  To: herbert
  Cc: linux-crypto, qat-linux, Giovanni Cabiddu, stable,
	Suman Kumar Chakraborty

The crypto/zstd module has a double-free bug that occurs when multiple
tfms are allocated and freed.

The issue happens because zstd_streams (per-CPU contexts) are freed in
zstd_exit() during every tfm destruction, rather than being managed at
the module level.  When multiple tfms exist, each tfm exit attempts to
free the same shared per-CPU streams, resulting in a double-free.

This leads to a stack trace similar to:

  BUG: Bad page state in process kworker/u16:1  pfn:106fd93
  page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
  flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
  page_type: 0xffffffff()
  raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
  raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
  page dumped because: nonzero entire_mapcount
  Modules linked in: ...
  CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G    B
  Hardware name: ...
  Workqueue: btrfs-delalloc btrfs_work_helper
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   bad_page+0x71/0xd0
   free_unref_page_prepare+0x24e/0x490
   free_unref_page+0x60/0x170
   crypto_acomp_free_streams+0x5d/0xc0
   crypto_acomp_exit_tfm+0x23/0x50
   crypto_destroy_tfm+0x60/0xc0
   ...

Change the lifecycle management of zstd_streams to free the streams only
once during module cleanup.

Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
---
 crypto/zstd.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/crypto/zstd.c b/crypto/zstd.c
index dc5b36141ff8..cbbd0413751a 100644
--- a/crypto/zstd.c
+++ b/crypto/zstd.c
@@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp *acomp_tfm)
 	return ret;
 }

-static void zstd_exit(struct crypto_acomp *acomp_tfm)
-{
-	crypto_acomp_free_streams(&zstd_streams);
-}
-
 static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
 			     const void *src, void *dst, unsigned int *dlen)
 {
@@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {
 		.cra_module = THIS_MODULE,
 	},
 	.init = zstd_init,
-	.exit = zstd_exit,
 	.compress = zstd_compress,
 	.decompress = zstd_decompress,
 };
@@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)
 static void __exit zstd_mod_fini(void)
 {
 	crypto_unregister_acomp(&zstd_acomp);
+	crypto_acomp_free_streams(&zstd_streams);
 }

 module_init(zstd_mod_init);

base-commit: 8faa5c4b47998c5930314a3bb8ee53534cfdc1ce
-- 
2.51.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup
  2025-11-20 16:26 [PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup Giovanni Cabiddu
@ 2025-11-24  9:51 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2025-11-24  9:51 UTC (permalink / raw)
  To: Giovanni Cabiddu; +Cc: linux-crypto, qat-linux, stable, Suman Kumar Chakraborty

On Thu, Nov 20, 2025 at 04:26:09PM +0000, Giovanni Cabiddu wrote:
> The crypto/zstd module has a double-free bug that occurs when multiple
> tfms are allocated and freed.
> 
> The issue happens because zstd_streams (per-CPU contexts) are freed in
> zstd_exit() during every tfm destruction, rather than being managed at
> the module level.  When multiple tfms exist, each tfm exit attempts to
> free the same shared per-CPU streams, resulting in a double-free.
> 
> This leads to a stack trace similar to:
> 
>   BUG: Bad page state in process kworker/u16:1  pfn:106fd93
>   page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
>   flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
>   page_type: 0xffffffff()
>   raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
>   raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>   page dumped because: nonzero entire_mapcount
>   Modules linked in: ...
>   CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G    B
>   Hardware name: ...
>   Workqueue: btrfs-delalloc btrfs_work_helper
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x5d/0x80
>    bad_page+0x71/0xd0
>    free_unref_page_prepare+0x24e/0x490
>    free_unref_page+0x60/0x170
>    crypto_acomp_free_streams+0x5d/0xc0
>    crypto_acomp_exit_tfm+0x23/0x50
>    crypto_destroy_tfm+0x60/0xc0
>    ...
> 
> Change the lifecycle management of zstd_streams to free the streams only
> once during module cleanup.
> 
> Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
> Cc: stable@vger.kernel.org
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
> ---
>  crypto/zstd.c | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-11-24  9:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-20 16:26 [PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup Giovanni Cabiddu
2025-11-24  9:51 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).