mirror of https://github.com/torvalds/linux.git
crypto: zstd - fix double-free in per-CPU stream cleanup
The crypto/zstd module has a double-free bug that occurs when multiple
tfms are allocated and freed.
The issue happens because zstd_streams (per-CPU contexts) are freed in
zstd_exit() during every tfm destruction, rather than being managed at
the module level. When multiple tfms exist, each tfm exit attempts to
free the same shared per-CPU streams, resulting in a double-free.
This leads to a stack trace similar to:
BUG: Bad page state in process kworker/u16:1 pfn:106fd93
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93
flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero entire_mapcount
Modules linked in: ...
CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B
Hardware name: ...
Workqueue: btrfs-delalloc btrfs_work_helper
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
bad_page+0x71/0xd0
free_unref_page_prepare+0x24e/0x490
free_unref_page+0x60/0x170
crypto_acomp_free_streams+0x5d/0xc0
crypto_acomp_exit_tfm+0x23/0x50
crypto_destroy_tfm+0x60/0xc0
...
Change the lifecycle management of zstd_streams to free the streams only
once during module cleanup.
Fixes: f5ad93ffb5 ("crypto: zstd - convert to acomp")
Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Giovanni Cabiddu
Herbert Xu
parent
ebbdf6466b
commit
48bc9da3c9
|
|
@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp *acomp_tfm)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void zstd_exit(struct crypto_acomp *acomp_tfm)
|
|
||||||
{
|
|
||||||
crypto_acomp_free_streams(&zstd_streams);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
|
static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
|
||||||
const void *src, void *dst, unsigned int *dlen)
|
const void *src, void *dst, unsigned int *dlen)
|
||||||
{
|
{
|
||||||
|
|
@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {
|
||||||
.cra_module = THIS_MODULE,
|
.cra_module = THIS_MODULE,
|
||||||
},
|
},
|
||||||
.init = zstd_init,
|
.init = zstd_init,
|
||||||
.exit = zstd_exit,
|
|
||||||
.compress = zstd_compress,
|
.compress = zstd_compress,
|
||||||
.decompress = zstd_decompress,
|
.decompress = zstd_decompress,
|
||||||
};
|
};
|
||||||
|
|
@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)
|
||||||
static void __exit zstd_mod_fini(void)
|
static void __exit zstd_mod_fini(void)
|
||||||
{
|
{
|
||||||
crypto_unregister_acomp(&zstd_acomp);
|
crypto_unregister_acomp(&zstd_acomp);
|
||||||
|
crypto_acomp_free_streams(&zstd_streams);
|
||||||
}
|
}
|
||||||
|
|
||||||
module_init(zstd_mod_init);
|
module_init(zstd_mod_init);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue