From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77AAB31282C for ; Fri, 8 May 2026 08:50:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778230247; cv=none; b=r5PmW3HbQt54XvRT9liatuvKXkOzsq+dM24l13zmA724sag7HVb1S/vlE5tKwJcTVzM9bT1LlOxohGHgSakn6UXBD6KeNlO/Y+KG062OqLyR1jHqL77xzMxSYRD2zsK3tLVQ1u1YLQmmsP0sgEWnRCoGkewA5UBRqXYkdPCxIeY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778230247; c=relaxed/simple; bh=PE9EIJRDSFXQ0GiM9MkcUIHGlokeliwyI9Q259F+kK8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=WFLcpTqS6UDh3HxMRMotQK+WvDrDBBnvSF5vNDq3/U47XwNke4ms5dDWeTpQOItFw72BJpfjotWTDDD1RWZRVFNaZYSzpcKcStTG8A8qKJxWmoGupQI8CYmJaHKVnCaUnyMKCUyuThdRz2qAX5iDUR4xBnmGoIIxgoI/TTu8isM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--richardycc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=udnuTRBg; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--richardycc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="udnuTRBg" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-3653638874cso2644566a91.2 for ; Fri, 08 May 2026 01:50:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1778230246; x=1778835046; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=EGFRFy1WoEV55J2RPFTdCgdsXVvquGiPRRD2auMcPnE=; b=udnuTRBgY1HGwUN7XImYPIp+07hQXRSp3peLAC6uoGsMu4fkc7RYukO5PcH8PE3KUI hG83jUQ8wro1UBJhtzRKZyC0WYkJr1vK7DZbXTuNGOTcMiRIrOID6LciLvU7H0q6tIwN LmEY9UCRdE39p/F1EKRx6QCC9xBHF2KKCVJXvFm8f6Wm/a0p91oSgmlt7aE2mq6zQVgK kmmgoo2J49jxG4jlMm6+PfhUcHpMoAt+CnDzrYV+MFJ7W2MTzUplKNX3/RC1P4nIPTsb gduhqmumiQmF6u2t3pJzeDXAjXdzVTXEenxb1yzf2sqBs7c06djYbKHx2L6Fai++YC3c KFmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778230246; x=1778835046; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EGFRFy1WoEV55J2RPFTdCgdsXVvquGiPRRD2auMcPnE=; b=HvGHMWBgP8GjdwawuiOdcWUm4tNv87UIX5riJrgoEf/eMtIodXd5VLdyIYrlr1+rx1 eYmXvdf15cm37zG3ud4lNz3SPByApby6+ATUUGFRrhe9K6+vBwaMhzSnR2ki9BMZpGGb v6LeyxUcaXW7b9w8L23+P7PEyEHom42eoSoxGQpdeLQzFi6htp/oUU8wUkS4/JGMhILG 134zEwGGK4U4K9kBOpGdEATbz1yE0yUblLXognS2T+upvLEqNlWhIb3DtIn5lXblsWVY /Fxngj+HIt9W3DzSMv07jiJyMwVqLRUyLuWPO5aYxHxfenxdKefyV/ijMhjH950s9br6 pPiQ== X-Forwarded-Encrypted: i=1; AFNElJ+g5wYZyu1tQOm9wregi10Vq0dzQMGjPt6nKuticzu65bdsvA0Ivt7JwG6swi59vJ4y4X46H5I2Hl1dINE=@vger.kernel.org X-Gm-Message-State: AOJu0YyQQKdiiXzy+boPe9/bD4QWNuSdG9KaRIcbnDOwfoZXdhCoNTNo OWJmL8X0sCVSOYvhov8L45a/j15wNCT60E3eRJZWLRej+LYvZFbcxURSO3mFxad6cr1IH10IMN7 ERH33yEWFWAD1GXVSy/5s X-Received: from pgww20.prod.google.com ([2002:a05:6a02:2c94:b0:c76:5ef4:ec3]) (user=richardycc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:6d91:b0:3a8:236a:7df2 with SMTP id adf61e73a8af0-3aa5abc86a4mr12929465637.44.1778230245628; Fri, 08 May 2026 01:50:45 -0700 (PDT) Date: Fri, 8 May 2026 08:49:33 +0000 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.54.0.563.g4f69b47b94-goog Message-ID: <20260508084933.3730661-1-richardycc@google.com> Subject: [PATCH v2] zram: fix use-after-free in zram_writeback_endio From: Richard Chang To: Minchan Kim , Sergey Senozhatsky , Jens Axboe , Andrew Morton Cc: bgeffon@google.com, liumartin@google.com, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, linux-mm@kvack.org, Richard Chang Content-Type: text/plain; charset="UTF-8" A crash was observed in zram_writeback_endio due to a NULL pointer dereference in wake_up. The root cause is a race condition between the bio completion handler (zram_writeback_endio) and the writeback task. In zram_writeback_endio, wake_up() is called on &wb_ctl->done_wait after releasing wb_ctl->done_lock. This creates a race window where the writeback task can see num_inflight become 0, return, and free wb_ctl before zram_writeback_endio calls wake_up(). CPU 0 (zram_writeback_endio) CPU 1 (writeback_store) ============================ ============================ zram_writeback_slots zram_submit_wb_request zram_submit_wb_request wait_event(wb_ctl->done_wait) spin_lock(&wb_ctl->done_lock); list_add(&req->entry, &wb_ctl->done_reqs); spin_unlock(&wb_ctl->done_lock); wake_up(&wb_ctl->done_wait); zram_complete_done_reqs spin_lock(&wb_ctl->done_lock); list_add(&req->entry, &wb_ctl->done_reqs); spin_unlock(&wb_ctl->done_lock); while (num_inflight) > 0) spin_lock(&wb_ctl->done_lock); list_del(&req->entry); spin_unlock(&wb_ctl->done_lock); // num_inflight becomes 0 atomic_dec(num_inflight); // Leave zram_writeback_slots // Free wb_ctl release_wb_ctl(wb_ctl); // UAF crash! wake_up(&wb_ctl->done_wait); This patch fixes this race by using RCU. By protecting wb_ctl with rcu_read_lock() in zram_writeback_endio and using kfree_rcu() to free it, we ensure that wb_ctl remains valid during the execution of zram_writeback_endio. Fixes: f405066a1f0d ("zram: introduce writeback bio batching") Suggested-by: Sergey Senozhatsky Suggested-by: Minchan Kim Signed-off-by: Richard Chang --- V1 -> V2: use RCU to manage the wb_ctl lifetime drivers/block/zram/zram_drv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index aebc710f0d6a..07111455eecf 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "zram_drv.h" @@ -504,6 +505,7 @@ struct zram_wb_ctl { wait_queue_head_t done_wait; spinlock_t done_lock; atomic_t num_inflight; + struct rcu_head rcu; }; struct zram_wb_req { @@ -847,7 +849,7 @@ static void release_wb_ctl(struct zram_wb_ctl *wb_ctl) release_wb_req(req); } - kfree(wb_ctl); + kfree_rcu(wb_ctl, rcu); } static struct zram_wb_ctl *init_wb_ctl(struct zram *zram) @@ -964,11 +966,13 @@ static void zram_writeback_endio(struct bio *bio) struct zram_wb_ctl *wb_ctl = bio->bi_private; unsigned long flags; + rcu_read_lock(); spin_lock_irqsave(&wb_ctl->done_lock, flags); list_add(&req->entry, &wb_ctl->done_reqs); spin_unlock_irqrestore(&wb_ctl->done_lock, flags); wake_up(&wb_ctl->done_wait); + rcu_read_unlock(); } static void zram_submit_wb_request(struct zram *zram, -- 2.54.0.563.g4f69b47b94-goog