superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/block
History
Sergey Senozhatsky ce4be9e430 zram: fix slot write race condition 
Parallel concurrent writes to the same zram index result in leaked
zsmalloc handles.  Schematically we can have something like this:

CPU0                              CPU1
zram_slot_lock()
zs_free(handle)
zram_slot_lock()
				zram_slot_lock()
				zs_free(handle)
				zram_slot_lock()

compress			compress
handle = zs_malloc()		handle = zs_malloc()
zram_slot_lock
zram_set_handle(handle)
zram_slot_lock
				zram_slot_lock
				zram_set_handle(handle)
				zram_slot_lock

Either CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done
too early.  In fact, we need to reset zram entry right before we set its
new handle, all under the same slot lock scope.

Link: https://lkml.kernel.org/r/20250909045150.635345-1-senozhatsky@chromium.org
Fixes: 71268035f5 ("zram: free slot memory early during write")
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reported-by: Changhui Zhong <czhong@redhat.com>
Closes: https://lore.kernel.org/all/CAGVVp+UtpGoW5WEdEU7uVTtsSCjPN=ksN6EcvyypAtFDOUf30A@mail.gmail.com/
Tested-by: Changhui Zhong <czhong@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Minchan Kim <minchan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 		2025-09-15 20:01:45 -07:00
..
aoe block-6.16-20250619 2025-06-19 23:29:35 -07:00
drbd drbd: Remove the open-coded page pool 2025-08-11 07:54:27 -06:00
mtip32xx block: mtip32xx: Fix usage of dma_map_sg() 2025-07-08 11:55:38 -06:00
null_blk null_blk: use memzero_page() 2025-07-09 22:42:08 -07:00
rnbd rnbd-srv: use bio_add_virt_nofail 2025-05-07 07:31:07 -06:00
xen-blkback xen/blkback: convert timeouts to secs_to_jiffies() 2025-01-12 20:21:03 -08:00
zram zram: fix slot write race condition 2025-09-15 20:01:45 -07:00
Kconfig block: remove pktcdvd driver 2025-07-07 07:02:42 -06:00
Makefile block: remove pktcdvd driver 2025-07-07 07:02:42 -06:00
amiflop.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
ataflop.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
brd.c brd: fix sleeping function called from invalid context in brd_insert_page() 2025-07-01 08:14:01 -06:00
floppy.c block: floppy: Fix uninitialized use of outparam 2025-07-13 12:08:31 -06:00
loop.c loop: fix zero sized loop for block special file 2025-08-25 07:46:57 -06:00
n64cart.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
nbd.c for-6.17/block-20250728 2025-07-28 16:43:54 -07:00
ps3disk.c ps3disk: Do not use dev->bounce_size before it is set 2025-01-03 11:44:25 -07:00
ps3vram.c
rbd.c block: force noio scope in blk_mq_freeze_queue 2025-01-31 07:20:08 -07:00
rbd_types.h
rnull.rs rust: module: introduce `authors` key 2025-03-10 15:12:17 +01:00
sunvdc.c sunvdc: Balance device refcount in vdc_port_mpgroup_check 2025-07-22 10:02:17 -06:00
swim.c block: remove BLK_MQ_F_SHOULD_MERGE 2024-12-23 08:17:23 -07:00
swim3.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
swim_asm.S
ublk_drv.c ublk: avoid ublk_io_release() called after ublk char dev is closed 2025-08-28 07:56:57 -06:00
virtio_blk.c virtio: blk/scsi: use block layer helpers to calculate num of queues 2025-07-01 10:24:19 -06:00
xen-blkfront.c block: remove unused parameter 'q' parameter in __blk_rq_map_sg() 2025-03-13 05:46:19 -06:00
z2ram.c block: remove BLK_MQ_F_SHOULD_MERGE 2024-12-23 08:17:23 -07:00
zloop.c zloop: fix KASAN use-after-free of tag set 2025-07-31 15:01:07 -06:00