CVE-2022-49554

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> zsmalloc: fix races between asynchronous zspage free and page migration<br /> <br /> The asynchronous zspage free worker tries to lock a zspage&amp;#39;s entire page<br /> list without defending against page migration. Since pages which haven&amp;#39;t<br /> yet been locked can concurrently migrate off the zspage page list while<br /> lock_zspage() churns away, lock_zspage() can suffer from a few different<br /> lethal races.<br /> <br /> It can lock a page which no longer belongs to the zspage and unsafely<br /> dereference page_private(), it can unsafely dereference a torn pointer to<br /> the next page (since there&amp;#39;s a data race), and it can observe a spurious<br /> NULL pointer to the next page and thus not lock all of the zspage&amp;#39;s pages<br /> (since a single page migration will reconstruct the entire page list, and<br /> create_page_chain() unconditionally zeroes out each list pointer in the<br /> process).<br /> <br /> Fix the races by using migrate_read_lock() in lock_zspage() to synchronize<br /> with page migration.