cve/published/2025/CVE-2025-22030.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

 Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding
 the per-CPU acomp_ctx mutex.  crypto_free_acomp() then holds scomp_lock
 (through crypto_exit_scomp_ops_async()).

 On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through
 crypto_scomp_init_tfm()), and then allocates memory.  If the allocation
 results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.

 The above dependencies can cause an ABBA deadlock.  For example in the
 following scenario:

 (1) Task A running on CPU #1:
     crypto_alloc_acomp_node()
       Holds scomp_lock
       Enters reclaim
       Reads per_cpu_ptr(pool->acomp_ctx, 1)

 (2) Task A is descheduled

 (3) CPU #1 goes offline
     zswap_cpu_comp_dead(CPU #1)
       Holds per_cpu_ptr(pool->acomp_ctx, 1))
       Calls crypto_free_acomp()
       Waits for scomp_lock

 (4) Task A running on CPU #2:
       Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1
       DEADLOCK

 Since there is no requirement to call crypto_free_acomp() with the per-CPU
 acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is
 unlocked.  Also move the acomp_request_free() and kfree() calls for
 consistency and to avoid any potential sublte locking dependencies in the
 future.

 With this, only setting acomp_ctx fields to NULL occurs with the mutex
 held.  This is similar to how zswap_cpu_comp_prepare() only initializes
 acomp_ctx fields with the mutex held, after performing all allocations
 before holding the mutex.

 Opportunistically, move the NULL check on acomp_ctx so that it takes place
 before the mutex dereference.

 The Linux kernel CVE team has assigned CVE-2025-22030 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.12.12 with commit 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1 and fixed in 6.12.23 with commit 747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
 	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.13.11 with commit a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
 	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.14.2 with commit 717d9c35deff6c33235693171bacbb03e9643fa4
 	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.15 with commit c11bcbc0a517acf69282c8225059b2a8ac5fe628

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22030
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/zswap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
 	https://git.kernel.org/stable/c/a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
 	https://git.kernel.org/stable/c/717d9c35deff6c33235693171bacbb03e9643fa4
 	https://git.kernel.org/stable/c/c11bcbc0a517acf69282c8225059b2a8ac5fe628
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

	Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding
	the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock
	(through crypto_exit_scomp_ops_async()).

	On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through
	crypto_scomp_init_tfm()), and then allocates memory. If the allocation
	results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.

	The above dependencies can cause an ABBA deadlock. For example in the
	following scenario:

	(1) Task A running on CPU #1:
	crypto_alloc_acomp_node()
	Holds scomp_lock
	Enters reclaim
	Reads per_cpu_ptr(pool->acomp_ctx, 1)

	(2) Task A is descheduled

	(3) CPU #1 goes offline
	zswap_cpu_comp_dead(CPU #1)
	Holds per_cpu_ptr(pool->acomp_ctx, 1))
	Calls crypto_free_acomp()
	Waits for scomp_lock

	(4) Task A running on CPU #2:
	Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1
	DEADLOCK

	Since there is no requirement to call crypto_free_acomp() with the per-CPU
	acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is
	unlocked. Also move the acomp_request_free() and kfree() calls for
	consistency and to avoid any potential sublte locking dependencies in the
	future.

	With this, only setting acomp_ctx fields to NULL occurs with the mutex
	held. This is similar to how zswap_cpu_comp_prepare() only initializes
	acomp_ctx fields with the mutex held, after performing all allocations
	before holding the mutex.

	Opportunistically, move the NULL check on acomp_ctx so that it takes place
	before the mutex dereference.

	The Linux kernel CVE team has assigned CVE-2025-22030 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.12.12 with commit 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1 and fixed in 6.12.23 with commit 747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.13.11 with commit a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.14.2 with commit 717d9c35deff6c33235693171bacbb03e9643fa4
	Issue introduced in 6.13 with commit 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 and fixed in 6.15 with commit c11bcbc0a517acf69282c8225059b2a8ac5fe628

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22030
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/zswap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
	https://git.kernel.org/stable/c/a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
	https://git.kernel.org/stable/c/717d9c35deff6c33235693171bacbb03e9643fa4
	https://git.kernel.org/stable/c/c11bcbc0a517acf69282c8225059b2a8ac5fe628