mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-06-03 13:53:57 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
441f92f7d386b85bad16de49db95a307cba048a2
linux/drivers
History
Richard Chang bf62f69574 zram: fix use-after-free in zram_writeback_endio 
A crash was observed in zram_writeback_endio due to a NULL pointer
dereference in wake_up.  The root cause is a race condition between the
bio completion handler (zram_writeback_endio) and the writeback task.

In zram_writeback_endio, wake_up() is called on &wb_ctl->done_wait after
releasing wb_ctl->done_lock.  This creates a race window where the
writeback task can see num_inflight become 0, return, and free wb_ctl
before zram_writeback_endio calls wake_up().

CPU 0 (zram_writeback_endio)     CPU 1 (writeback_store)
============================     ============================
                                 zram_writeback_slots
                                   zram_submit_wb_request
                                   zram_submit_wb_request
                                   wait_event(wb_ctl->done_wait)
spin_lock(&wb_ctl->done_lock);
list_add(&req->entry, &wb_ctl->done_reqs);
spin_unlock(&wb_ctl->done_lock);
wake_up(&wb_ctl->done_wait);
                                   zram_complete_done_reqs
spin_lock(&wb_ctl->done_lock);
list_add(&req->entry, &wb_ctl->done_reqs);
spin_unlock(&wb_ctl->done_lock);
                                   while (num_inflight) > 0)
                                     spin_lock(&wb_ctl->done_lock);
                                     list_del(&req->entry);
                                     spin_unlock(&wb_ctl->done_lock);
                                     // num_inflight becomes 0
                                     atomic_dec(num_inflight);

                                 // Leave zram_writeback_slots
                                 // Free wb_ctl
                                 release_wb_ctl(wb_ctl);
// UAF crash!
wake_up(&wb_ctl->done_wait);

This patch fixes this race by using RCU.  By protecting wb_ctl with
rcu_read_lock() in zram_writeback_endio and using kfree_rcu() to free it,
we ensure that wb_ctl remains valid during the execution of
zram_writeback_endio.

Link: https://lore.kernel.org/20260512074918.2606208-1-richardycc@google.com
Fixes: f405066a1f ("zram: introduce writeback bio batching")
Signed-off-by: Richard Chang <richardycc@google.com>
Suggested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Suggested-by: Minchan Kim <minchan@kernel.org>
Acked-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Martin Liu <liumartin@google.com>
Cc: wang wei <a929244872@163.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2026-05-21 19:06:11 -07:00
..
accel
accel/qaic: Add overflow check to remap_pfn_range during mmap
2026-05-12 10:58:18 -06:00
accessibility
acpi
ACPI: driver: Check ACPI_COMPANION() against NULL during probe
2026-05-11 18:50:06 +02:00
amba
android
rust: allow clippy::collapsible_if globally
2026-04-30 23:21:31 +02:00
ata
ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
2026-05-18 12:26:51 +02:00
atm
net: remove unused ATM protocols and legacy ATM device drivers
2026-04-23 12:21:14 -07:00
auxdisplay
auxdisplay: line-display: fix NULL dereference in linedisp_release
2026-03-27 09:54:31 +01:00
base
drivers/base/memory: fix memory block reference leak in poison accounting
2026-05-13 17:40:03 -07:00
bcma
block
zram: fix use-after-free in zram_writeback_endio
2026-05-21 19:06:11 -07:00
bluetooth
Bluetooth: virtio_bt: validate rx pkt_type header length
2026-05-06 16:22:33 -04:00
bus
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
cache
cdrom
cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
2026-04-27 15:52:51 -06:00
cdx
char
Merge tag 'for-linus-7.1-2' of https://github.com/cminyard/linux-ipmi
2026-05-04 12:48:30 -07:00
clk
clk: rk808: fix OF node reference imbalance
2026-04-28 20:55:53 -07:00
clocksource
comedi
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
connector
counter
Merge tag 'v7.0-rc7' into char-misc-next
2026-04-06 09:04:53 +02:00
cpufreq
Merge tag 'devicetree-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
2026-04-17 14:09:02 -07:00
cpuidle
Merge tag 'powerpc-7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
2026-04-14 17:10:15 -07:00
crypto
crypto: ccp - copy IV using skcipher ivsize
2026-04-16 17:37:03 +08:00
cxl
Merge tag 'cxl-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl
2026-04-17 15:52:58 -07:00
dax
Merge tag 'libnvdimm-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
2026-04-21 14:12:01 -07:00
dca
devfreq
PM / devfreq: tegra30-devfreq: add support for Tegra114
2026-04-04 03:15:39 +09:00
dibs
dio
dma
Merge tag 'dmaengine-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine
2026-04-17 10:29:01 -07:00
dma-buf
Merge tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel
2026-04-24 11:44:52 -07:00
dpll
dpll: export __dpll_pin_change_ntf() for use under dpll_lock
2026-04-30 11:37:39 +02:00
edac
EDAC/versalnet: Fix device name memory leak
2026-05-05 14:49:48 +02:00
eisa
extcon
firewire
firmware
efi/libstub: Synchronize instruction cache after kernel relocation
2026-04-29 08:56:16 +02:00
fpga
fsi
fwctl
fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
2026-04-10 11:21:06 -03:00
gnss
gpib
Merge tag 'v7.0-rc7' into char-misc-next
2026-04-06 09:04:53 +02:00
gpio
Merge tag 'gpio-fixes-for-v7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
2026-04-24 11:59:46 -07:00
gpu
drm: Replace old pointer to new idr
2026-05-16 09:32:43 +10:00
greybus
greybus: gb-beagleplay: bound bootloader receive buffering
2026-04-02 15:55:09 +02:00
hid
HID: core: Fix size_t specifier in hid_report_raw_event()
2026-05-18 13:05:41 -07:00
hsi
HSI: omap_ssi_port: remove depends on ARM
2026-04-02 22:33:44 +02:00
hte
hte: tegra194: Add Tegra264 GTE support
2026-04-12 23:29:31 -07:00
hv
Merge tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel
2026-04-24 11:44:52 -07:00
hwmon
hwmon: (lm90) Add lock protection to lm90_alert
2026-05-16 08:10:33 -07:00
hwspinlock
hwspinlock: u8500: delete driver
2026-04-06 09:43:18 -05:00
hwtracing
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
i2c
i2c: smbus: reject oversized block transfers in the common path
2026-05-07 10:59:07 +02:00
i3c
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
2026-04-12 22:06:02 +02:00
idle
iio
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
infiniband
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
2026-05-02 15:30:48 -03:00
input
Merge tag 'input-for-v7.1-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2026-04-22 18:36:40 -07:00
interconnect
Merge tag 'icc-7.1-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-next
2026-04-07 10:06:50 +02:00
iommu
iommupt: Fix the end_index calculation in __map_range_leaf()
2026-05-15 07:29:16 +02:00
ipack
irqchip
irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
2026-05-11 15:23:11 +02:00
leds
leds: class: Make led_remove_lookup() NULL-aware
2026-04-09 13:49:19 +01:00
macintosh
mailbox
mailbox: mailbox-test: make data_ready a per-instance variable
2026-04-18 13:10:14 -05:00
mcb
md
Merge tag 'block-7.1-20260430' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux
2026-05-01 11:26:15 -07:00
media
media: rc: ttusbir: fix inverted error logic
2026-05-04 08:33:39 +02:00
memory
Merge tag 'dma-mapping-7.1-2026-04-16' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux
2026-04-17 11:12:42 -07:00
memstick
message
mfd
Merge tag 'mfd-next-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
2026-04-20 11:31:01 -07:00
misc
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
mmc
mmc: sdhci-msm: Fix the wrapped key handling
2026-04-10 10:29:58 +02:00
most
most: usb: Use kzalloc_objs for endpoint address array
2026-04-02 17:06:09 +02:00
mtd
mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW
2026-04-27 15:08:04 +02:00
mux
Merge tag 'char-misc-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2026-04-24 13:23:50 -07:00
net
net: phy: DP83TC811: add reading of abilities
2026-05-14 15:17:12 +02:00
nfc
NFC: trf7970a: Ignore antenna noise when checking for RF field
2026-04-27 18:00:43 -07:00
ntb
Merge tag 'pci-v7.1-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci
2026-04-15 14:41:21 -07:00
nubus
nvdimm
Merge tag 'vfs-7.1-rc1.integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2026-04-13 10:40:26 -07:00
nvme
nvme-apple: Reset q->sq_tail during queue init
2026-05-14 07:40:35 -07:00
nvmem
Merge tag 'v7.0-rc7' into char-misc-next
2026-04-06 09:04:53 +02:00
of
Merge tag 'memblock-v7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rppt/memblock
2026-04-18 11:29:14 -07:00
opp
parisc
parisc: Fix IRQ leak in LASI driver
2026-05-04 11:48:12 +02:00
parport
parport: Remove completed item from to-do list
2026-04-02 17:05:56 +02:00
pci
PCI: Initialize temporary device in new_id_store()
2026-05-08 15:50:06 -05:00
pcmcia
Merge tag 'pcmcia-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux
2026-04-23 11:22:16 -07:00
peci
perf
Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
2026-04-14 16:48:56 -07:00
phy
Merge tag 'phy-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy
2026-04-17 10:22:08 -07:00
pinctrl
Merge tag 'pinctrl-v7.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
2026-04-18 16:59:09 -07:00
platform
Merge tag 'platform-drivers-x86-v7.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
2026-05-15 11:12:54 -07:00
pmdomain
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
2026-04-27 14:53:30 +02:00
pnp
power
Merge tag 'usb-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
2026-04-19 08:47:40 -07:00
powercap
powercap: intel_rapl: Consolidate PL4 and PMU support flags into rapl_defaults
2026-04-01 16:03:05 +02:00
pps
pps: change pps_class to a const struct
2026-04-02 16:33:00 +02:00
ps3
ptp
pwm
Merge tag 'pwm/fixes-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ukleinek/linux
2026-04-23 08:37:07 -07:00
rapidio
ras
regulator
regulator: qcom-rpmh: Fix index for pmh0101 ldo16
2026-05-06 21:26:30 +09:00
remoteproc
Merge tag 'rpmsg-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux
2026-04-17 14:18:55 -07:00
resctrl
arm_mpam: Check whether the config array is allocated before destroying it
2026-05-14 09:52:05 +01:00
reset
reset: eyeq: drop device_set_of_node_from_dev() done by parent
2026-04-28 19:03:50 -07:00
rpmsg
rpmsg: Constify buffer passed to send API
2026-04-06 09:37:51 -05:00
rtc
Merge tag 'rtc-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
2026-04-25 16:39:03 -07:00
s390
s390/sclp: Remove SCLP_OFB Kconfig option
2026-04-28 14:45:02 +02:00
sbus
scsi
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
2026-05-05 14:38:31 -07:00
sh
siox
slimbus
soc
Merge tag 'rpmsg-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux
2026-04-17 14:18:55 -07:00
soundwire
Merge tag 'soundwire-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire
2026-04-17 10:16:53 -07:00
spi
spi: ch341: correct company name in MODULE_DESCRIPTION
2026-05-06 23:09:33 +09:00
spmi
ssb
staging
Merge tag 'hid-for-linus-2026051401' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
2026-05-14 14:30:01 -07:00
target
Merge branch '7.1/scsi-queue' into 7.1/scsi-fixes
2026-04-26 21:15:04 -04:00
tc
tee
Merge tag 'soc-drivers-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2026-04-16 20:34:34 -07:00
thermal
Merge tag 'bitmap-for-v7.1' of https://github.com/norov/linux
2026-04-14 08:55:18 -07:00
thunderbolt
Merge tag 'thunderbolt-for-v7.1-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-next
2026-04-10 13:10:28 +02:00
tty
Merge tag 'tty-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2026-04-19 08:44:41 -07:00
ufs
scsi: ufs: core: Fix bRefClkFreq write failure in HS-LSS mode
2026-04-21 20:58:06 -04:00
uio
uio: replace deprecated mmap hook with mmap_prepare in uio_info
2026-04-05 13:53:44 -07:00
usb
Merge tag 'usb-serial-7.1-rc3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
2026-05-08 17:18:43 +02:00
vdpa
vdpa: use generic driver_override infrastructure
2026-04-04 00:47:50 +02:00
vfio
vfio/pci: Check BAR resources before exporting a DMABUF
2026-05-14 11:39:03 -06:00
vhost
Merge tag 'net-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-04-23 16:50:42 -07:00
video
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
2026-05-04 10:35:55 +02:00
virt
virt: sev-guest: Do not use host-controlled page order in cleanup path
2026-05-17 11:45:07 -07:00
virtio
Merge tag 'mm-stable-2026-04-13-21-45' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2026-04-15 12:59:16 -07:00
w1
w1: ds2490: drop redundant device reference
2026-04-03 10:55:12 +02:00
watchdog
watchdog: ni903x_wdt: Convert to a platform driver
2026-04-07 21:06:59 +02:00
xen
ACPI: PAD: xen: Check ACPI_COMPANION() against NULL
2026-05-12 19:01:37 +02:00
zorro
Kconfig
net: remove ISDN subsystem and Bluetooth CMTP
2026-04-23 10:24:02 -07:00
Makefile
net: remove ISDN subsystem and Bluetooth CMTP
2026-04-23 10:24:02 -07:00