cve/published/2025/CVE-2025-21693.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.0.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21693: mm: zswap: properly synchronize freeing resources during CPU hotunplug

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm: zswap: properly synchronize freeing resources during CPU hotunplug

 In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
 current CPU at the beginning of the operation is retrieved and used
 throughout.  However, since neither preemption nor migration are disabled,
 it is possible that the operation continues on a different CPU.

 If the original CPU is hotunplugged while the acomp_ctx is still in use,
 we run into a UAF bug as some of the resources attached to the acomp_ctx
 are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
 acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).

 The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
 crypto_acomp API for hardware acceleration") when the switch to the
 crypto_acomp API was made.  Prior to that, the per-CPU crypto_comp was
 retrieved using get_cpu_ptr() which disables preemption and makes sure the
 CPU cannot go away from under us.  Preemption cannot be disabled with the
 crypto_acomp API as a sleepable context is needed.

 Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
 and freeing resources with compression/decompression paths.  Make sure
 that acomp_ctx.req is NULL when the resources are freed.  In the
 compression/decompression paths, check if acomp_ctx.req is NULL after
 acquiring the mutex (meaning the CPU was offlined) and retry on the new
 CPU.

 The initialization of acomp_ctx.mutex is moved from the CPU hotplug
 callback to the pool initialization where it belongs (where the mutex is
 allocated).  In addition to adding clarity, this makes sure that CPU
 hotplug cannot reinitialize a mutex that is already locked by
 compression/decompression.

 Previously a fix was attempted by holding cpus_read_lock() [1].  This
 would have caused a potential deadlock as it is possible for code already
 holding the lock to fall into reclaim and enter zswap (causing a
 deadlock).  A fix was also attempted using SRCU for synchronization, but
 Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug
 notifiers [2].

 Alternative fixes that were considered/attempted and could have worked:
 - Refcounting the per-CPU acomp_ctx. This involves complexity in
   handling the race between the refcount dropping to zero in
   zswap_[de]compress() and the refcount being re-initialized when the
   CPU is onlined.
 - Disabling migration before getting the per-CPU acomp_ctx [3], but
   that's discouraged and is a much bigger hammer than needed, and could
   result in subtle performance issues.

 [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
 [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
 [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/

 [yosryahmed@google.com: remove comment]

 The Linux kernel CVE team has assigned CVE-2025-21693 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 and fixed in 6.12.12 with commit 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1
 	Issue introduced in 5.11 with commit 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 and fixed in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21693
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/zswap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1
 	https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65
	From bippy-1.0.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21693: mm: zswap: properly synchronize freeing resources during CPU hotunplug

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm: zswap: properly synchronize freeing resources during CPU hotunplug

	In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
	current CPU at the beginning of the operation is retrieved and used
	throughout. However, since neither preemption nor migration are disabled,
	it is possible that the operation continues on a different CPU.

	If the original CPU is hotunplugged while the acomp_ctx is still in use,
	we run into a UAF bug as some of the resources attached to the acomp_ctx
	are freed during hotunplug in zswap_cpu_comp_dead() (i.e.
	acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp).

	The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
	crypto_acomp API for hardware acceleration") when the switch to the
	crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
	retrieved using get_cpu_ptr() which disables preemption and makes sure the
	CPU cannot go away from under us. Preemption cannot be disabled with the
	crypto_acomp API as a sleepable context is needed.

	Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating
	and freeing resources with compression/decompression paths. Make sure
	that acomp_ctx.req is NULL when the resources are freed. In the
	compression/decompression paths, check if acomp_ctx.req is NULL after
	acquiring the mutex (meaning the CPU was offlined) and retry on the new
	CPU.

	The initialization of acomp_ctx.mutex is moved from the CPU hotplug
	callback to the pool initialization where it belongs (where the mutex is
	allocated). In addition to adding clarity, this makes sure that CPU
	hotplug cannot reinitialize a mutex that is already locked by
	compression/decompression.

	Previously a fix was attempted by holding cpus_read_lock() [1]. This
	would have caused a potential deadlock as it is possible for code already
	holding the lock to fall into reclaim and enter zswap (causing a
	deadlock). A fix was also attempted using SRCU for synchronization, but
	Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug
	notifiers [2].

	Alternative fixes that were considered/attempted and could have worked:
	- Refcounting the per-CPU acomp_ctx. This involves complexity in
	handling the race between the refcount dropping to zero in
	zswap_[de]compress() and the refcount being re-initialized when the
	CPU is onlined.
	- Disabling migration before getting the per-CPU acomp_ctx [3], but
	that's discouraged and is a much bigger hammer than needed, and could
	result in subtle performance issues.

	[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
	[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
	[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/

	[yosryahmed@google.com: remove comment]

	The Linux kernel CVE team has assigned CVE-2025-21693 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 and fixed in 6.12.12 with commit 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1
	Issue introduced in 5.11 with commit 1ec3b5fe6eec782f4e5e0a80e4ce1909ffd5d161 and fixed in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21693
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/zswap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1
	https://git.kernel.org/stable/c/12dcb0ef540629a281533f9dedc1b6b8e14cfb65