mm: zswap: properly synchronize freeing resources during CPU hotunplug

This vulnerability pertains to the per-CPU acomp_ctx in zswap_compress() and zswap_decompress(). The original issue was that neither preemption nor migration was disabled, potentially allowing the operation to continue on a different CPU. If the original CPU was hot-unplugged while the acomp_ctx was still in use, this led to a UAF (Use-After-Free) bug.

The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration"). Prior to that commit, per-CPU crypto_comp was retrieved using get_cpu_ptr(), which disables preemption and ensures that the CPU stays put. However, preemption could not be disabled with the crypto_acomp API since a sleepable context was needed.

To resolve this issue, the acomp_ctx.mutex is used to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Furthermore, it is ensured that acomp_ctx.req is NULL when resources are freed. In both compression and decompression paths, the code checks if acomp_ctx.req is NULL after obtaining the mutex (indicating that the CPU was offlined) and retries on the new CPU.

Additionally, the initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization. This not only adds clarity, but it also prevents CPU hotplug from reinitializing a mutex that's locked by compression/decompression.

The following references explain earlier attempts to fix this issue and why they didn't work

[1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/
[2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/
[3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/

Alternatives, such as refcounting the per-CPU acomp_ctx or disabling migration before getting the per-CPU acomp_ctx, were considered but deemed too complex or undesirable.

To sum up, this vulnerability, CVE-2025-21693, has been resolved by properly synchronizing the use of acomp_ctx and ensuring that resources are correctly freed during CPU hotunplug.

If you're affected by this issue, ensure that your Linux kernel is patched with the latest updates to avoid any potential problems. For more technical details about this vulnerability and its resolution, feel free to follow the link provided below.

Link: https://lkml.kernel.org/r/CAJD7tkaxS1wjn+swugt8QCvQ-rVF5RZnjxwPGX17k8x9zSManA@mail.gmail.com

Timeline

Published on: 02/10/2025 16:15:38 UTC
Last modified on: 02/10/2025 18:15:35 UTC