From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 6.18 06/29] crypto: zstd - fix double-free in per-CPU stream cleanup
Date: Wed, 10 Dec 2025 16:30:16 +0900 [thread overview]
Message-ID: <20251210072944.542909790@linuxfoundation.org> (raw)
In-Reply-To: <20251210072944.363788552@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
commit 48bc9da3c97c15f1ea24934bcb3b736acd30163d upstream.
The crypto/zstd module has a double-free bug that occurs when multiple
tfms are allocated and freed.
The issue happens because zstd_streams (per-CPU contexts) are freed in
zstd_exit() during every tfm destruction, rather than being managed at
the module level. When multiple tfms exist, each tfm exit attempts to
free the same shared per-CPU streams, resulting in a double-free.
This leads to a stack trace similar to:
BUG: Bad page state in process kworker/u16:1 pfn:106fd93
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero entire_mapcount
Modules linked in: ...
CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B
Hardware name: ...
Workqueue: btrfs-delalloc btrfs_work_helper
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
bad_page+0x71/0xd0
free_unref_page_prepare+0x24e/0x490
free_unref_page+0x60/0x170
crypto_acomp_free_streams+0x5d/0xc0
crypto_acomp_exit_tfm+0x23/0x50
crypto_destroy_tfm+0x60/0xc0
...
Change the lifecycle management of zstd_streams to free the streams only
once during module cleanup.
Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/zstd.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/crypto/zstd.c
+++ b/crypto/zstd.c
@@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp
return ret;
}
-static void zstd_exit(struct crypto_acomp *acomp_tfm)
-{
- crypto_acomp_free_streams(&zstd_streams);
-}
-
static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
const void *src, void *dst, unsigned int *dlen)
{
@@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {
.cra_module = THIS_MODULE,
},
.init = zstd_init,
- .exit = zstd_exit,
.compress = zstd_compress,
.decompress = zstd_decompress,
};
@@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)
static void __exit zstd_mod_fini(void)
{
crypto_unregister_acomp(&zstd_acomp);
+ crypto_acomp_free_streams(&zstd_streams);
}
module_init(zstd_mod_init);
next prev parent reply other threads:[~2025-12-10 7:36 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 7:30 [PATCH 6.18 00/29] 6.18.1-rc1 review Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 01/29] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 02/29] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 03/29] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 04/29] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 05/29] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:30 ` Greg Kroah-Hartman [this message]
2025-12-10 7:30 ` [PATCH 6.18 07/29] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 08/29] rust_binder: fix race condition on death_list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 09/29] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 10/29] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 11/29] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 12/29] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 13/29] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 14/29] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 15/29] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 16/29] dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 17/29] serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 18/29] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 19/29] USB: serial: kobil_sct: " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 20/29] Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 21/29] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 22/29] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 23/29] iio: adc: ad4080: fix chip identification Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 24/29] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 25/29] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 26/29] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 27/29] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 28/29] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 29/29] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.18 00/29] 6.18.1-rc1 review Brett A C Sheffield
2025-12-10 12:17 ` Takeshi Ogasawara
2025-12-10 13:18 ` Jeffrin Thalakkottoor
2025-12-10 14:01 ` Achill Gilgenast
2025-12-10 14:32 ` Peter Schneider
2025-12-10 19:42 ` Florian Fainelli
2025-12-10 21:02 ` Dileep malepu
2025-12-10 21:49 ` Ronald Warsow
2025-12-10 20:43 ` Hardik Garg
2025-12-10 21:54 ` Ron Economos
2025-12-11 6:44 ` Naresh Kamboju
2025-12-11 9:02 ` Mark Brown
2025-12-12 9:25 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251210072944.542909790@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=giovanni.cabiddu@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=suman.kumar.chakraborty@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).