cve/published/2025/CVE-2025-21860.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.0.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21860: mm/zswap: fix inconsistency when zswap_store_page() fails

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/zswap: fix inconsistency when zswap_store_page() fails

 Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()")
 skips charging any zswap entries when it failed to zswap the entire folio.

 However, when some base pages are zswapped but it failed to zswap the
 entire folio, the zswap operation is rolled back.  When freeing zswap
 entries for those pages, zswap_entry_free() uncharges the zswap entries
 that were not previously charged, causing zswap charging to become
 inconsistent.

 This inconsistency triggers two warnings with following steps:
   # On a machine with 64GiB of RAM and 36GiB of zswap
   $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng
   $ sudo reboot

   The two warnings are:
     in mm/memcontrol.c:163, function obj_cgroup_release():
       WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1));

     in mm/page_counter.c:60, function page_counter_cancel():
       if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n",
 	  new, nr_pages))

 zswap_stored_pages also becomes inconsistent in the same way.

 As suggested by Kanchana, increment zswap_stored_pages and charge zswap
 entries within zswap_store_page() when it succeeds.  This way,
 zswap_entry_free() will decrement the counter and uncharge the entries
 when it failed to zswap the entire folio.

 While this could potentially be optimized by batching objcg charging and
 incrementing the counter, let's focus on fixing the bug this time and
 leave the optimization for later after some evaluation.

 After resolving the inconsistency, the warnings disappear.

 [42.hyeyoo@gmail.com: refactor zswap_store_page()]

 The Linux kernel CVE team has assigned CVE-2025-21860 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.13 with commit b7c0ccdfbafdec98699ddb6f164beebf16f0bc45 and fixed in 6.13.5 with commit a3652f5552b20903315612da487a7be2b95394d5
 	Issue introduced in 6.13 with commit b7c0ccdfbafdec98699ddb6f164beebf16f0bc45 and fixed in 6.14 with commit 63895d20d63b446f5049a963983489319c2ea3e2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21860
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/zswap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a3652f5552b20903315612da487a7be2b95394d5
 	https://git.kernel.org/stable/c/63895d20d63b446f5049a963983489319c2ea3e2
	From bippy-1.0.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21860: mm/zswap: fix inconsistency when zswap_store_page() fails

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/zswap: fix inconsistency when zswap_store_page() fails

	Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()")
	skips charging any zswap entries when it failed to zswap the entire folio.

	However, when some base pages are zswapped but it failed to zswap the
	entire folio, the zswap operation is rolled back. When freeing zswap
	entries for those pages, zswap_entry_free() uncharges the zswap entries
	that were not previously charged, causing zswap charging to become
	inconsistent.

	This inconsistency triggers two warnings with following steps:
	# On a machine with 64GiB of RAM and 36GiB of zswap
	$ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng
	$ sudo reboot

	The two warnings are:
	in mm/memcontrol.c:163, function obj_cgroup_release():
	WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1));

	in mm/page_counter.c:60, function page_counter_cancel():
	if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n",
	new, nr_pages))

	zswap_stored_pages also becomes inconsistent in the same way.

	As suggested by Kanchana, increment zswap_stored_pages and charge zswap
	entries within zswap_store_page() when it succeeds. This way,
	zswap_entry_free() will decrement the counter and uncharge the entries
	when it failed to zswap the entire folio.

	While this could potentially be optimized by batching objcg charging and
	incrementing the counter, let's focus on fixing the bug this time and
	leave the optimization for later after some evaluation.

	After resolving the inconsistency, the warnings disappear.

	[42.hyeyoo@gmail.com: refactor zswap_store_page()]

	The Linux kernel CVE team has assigned CVE-2025-21860 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.13 with commit b7c0ccdfbafdec98699ddb6f164beebf16f0bc45 and fixed in 6.13.5 with commit a3652f5552b20903315612da487a7be2b95394d5
	Issue introduced in 6.13 with commit b7c0ccdfbafdec98699ddb6f164beebf16f0bc45 and fixed in 6.14 with commit 63895d20d63b446f5049a963983489319c2ea3e2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21860
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/zswap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a3652f5552b20903315612da487a7be2b95394d5
	https://git.kernel.org/stable/c/63895d20d63b446f5049a963983489319c2ea3e2