CVE-2025-22030

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()<br /> <br /> Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding<br /> the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock<br /> (through crypto_exit_scomp_ops_async()).<br /> <br /> On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through<br /> crypto_scomp_init_tfm()), and then allocates memory. If the allocation<br /> results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.<br /> <br /> The above dependencies can cause an ABBA deadlock. For example in the<br /> following scenario:<br /> <br /> (1) Task A running on CPU #1:<br /> crypto_alloc_acomp_node()<br /> Holds scomp_lock<br /> Enters reclaim<br /> Reads per_cpu_ptr(pool-&gt;acomp_ctx, 1)<br /> <br /> (2) Task A is descheduled<br /> <br /> (3) CPU #1 goes offline<br /> zswap_cpu_comp_dead(CPU #1)<br /> Holds per_cpu_ptr(pool-&gt;acomp_ctx, 1))<br /> Calls crypto_free_acomp()<br /> Waits for scomp_lock<br /> <br /> (4) Task A running on CPU #2:<br /> Waits for per_cpu_ptr(pool-&gt;acomp_ctx, 1) // Read on CPU #1<br /> DEADLOCK<br /> <br /> Since there is no requirement to call crypto_free_acomp() with the per-CPU<br /> acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is<br /> unlocked. Also move the acomp_request_free() and kfree() calls for<br /> consistency and to avoid any potential sublte locking dependencies in the<br /> future.<br /> <br /> With this, only setting acomp_ctx fields to NULL occurs with the mutex<br /> held. This is similar to how zswap_cpu_comp_prepare() only initializes<br /> acomp_ctx fields with the mutex held, after performing all allocations<br /> before holding the mutex.<br /> <br /> Opportunistically, move the NULL check on acomp_ctx so that it takes place<br /> before the mutex dereference.