From patchwork Tue Feb 25 08:53:58 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 13989521
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B32D2C021B2
	for <linux-mm@archiver.kernel.org>; Tue, 25 Feb 2025 08:54:20 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 45BE36B007B; Tue, 25 Feb 2025 03:54:20 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 40D5D6B0082; Tue, 25 Feb 2025 03:54:20 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2D3666B0085; Tue, 25 Feb 2025 03:54:20 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com
 [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 0A07E6B007B
	for <linux-mm@kvack.org>; Tue, 25 Feb 2025 03:54:20 -0500 (EST)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id A34A81C8FE4
	for <linux-mm@kvack.org>; Tue, 25 Feb 2025 08:54:19 +0000 (UTC)
X-FDA: 83157855438.10.8618D5B
Received: from abb.hmeau.com (abb.hmeau.com [144.6.53.87])
	by imf24.hostedemail.com (Postfix) with ESMTP id 04414180013
	for <linux-mm@kvack.org>; Tue, 25 Feb 2025 08:54:16 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=hmeau.com header.s=formenos header.b=MBQ0fVm2;
	spf=pass (imf24.hostedemail.com: domain of herbert@gondor.apana.org.au
 designates 144.6.53.87 as permitted sender)
 smtp.mailfrom=herbert@gondor.apana.org.au;
	dmarc=pass (policy=quarantine) header.from=apana.org.au
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1740473658;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=m/uE5AbjUgTrqaB5TvMD0hL1QbOzaO5ZccZ+IZl0Aqw=;
	b=iDljyMx0F8+Xk00mRkb+cX2IOK9EMaoevD0Q/tftkIpIq8XfjaJ/wJStGaid3ZqIrykitE
	PV4KFDUpqMsjtYhGzm5pnq/n0UKdaT3pegp3PLx5vNi5ZAMEGGdo8uhX02oHhnv1PQLFLM
	0QP0YnZebfPgoinmVB7qBOK2YDxU/7U=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740473658; a=rsa-sha256;
	cv=none;
	b=v9CIItIYnCSVGS4oGLglUT8wb+heArqLy5tcUIUNuOJ1a6NsJKmDLrePod6Qv+DXZ90k4d
	whwHvbR//ly4N0aW5Yvo3OtF6L4sqLzoTZABxiLcR5L5jbUuCsqZBFYqngJ/ZD5wtRI7yt
	tNBDANur4eVYUUMKJgeaK3e/OA+PqJM=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=pass header.d=hmeau.com header.s=formenos header.b=MBQ0fVm2;
	spf=pass (imf24.hostedemail.com: domain of herbert@gondor.apana.org.au
 designates 144.6.53.87 as permitted sender)
 smtp.mailfrom=herbert@gondor.apana.org.au;
	dmarc=pass (policy=quarantine) header.from=apana.org.au
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hmeau.com;
	s=formenos; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
	Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=m/uE5AbjUgTrqaB5TvMD0hL1QbOzaO5ZccZ+IZl0Aqw=; b=MBQ0fVm2AHhupKDLf2RD8erw6D
	89jeBLcCBDOXI4IOJH7xufAvPx8+87/YbUtM35d10R8wWycbobGy7Z/E2dHkTc/fmsmHmIwiKPtiv
	V9TJ6jRvdd04msxpx9Df/9Fr5CJpSJt9iLh2w1EFH28KdRNSMEYdAwELY/X/WC97PTYgJw19GlTbB
	4aS1hQXJmskPhqpPC58l/2Qdz5NZzLpmYt9W+lAnWMCZCc+HNf1mXcy9PhWd9Kf0lTFJFT3RM3du6
	vMYh3Hdns/Wn5AFTWPYoiJ+2vQxnepUBEmP/KM/CbrbeH51OoKZprvyyAsBE4ZpfE3XVyKIH6tNv5
	3wrQLmZw==;
Received: from loth.rohan.me.apana.org.au ([192.168.167.2])
	by formenos.hmeau.com with smtp (Exim 4.96 #2 (Debian))
	id 1tmqhS-001Xuy-0c;
	Tue, 25 Feb 2025 16:53:59 +0800
Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation);
 Tue, 25 Feb 2025 16:53:58 +0800
Date: Tue, 25 Feb 2025 16:53:58 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: syzbot <syzbot+1a517ccfcbc6a7ab0f82@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	Andrew Morton <akpm@linux-foundation.org>,
	Yosry Ahmed <yosry.ahmed@linux.dev>, linux-mm@kvack.org
Subject: mm: zswap: fix crypto_free_acomp deadlock in zswap_cpu_comp_dead
Message-ID: <Z72FJnbA39zWh4zS@gondor.apana.org.au>
References: <67bcea51.050a0220.bbfd1.0096.GAE@google.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <67bcea51.050a0220.bbfd1.0096.GAE@google.com>
X-Rspam-User: 
X-Rspamd-Queue-Id: 04414180013
X-Rspamd-Server: rspam07
X-Stat-Signature: zb86d9g74sg7mqp9u7m5hnc4oyayfrxm
X-HE-Tag: 1740473656-117890
X-HE-Meta: 
 U2FsdGVkX19rntRuBVxRmIIu/r+fiY2JT+orE4KxImHUMpim/BtJOKuvPB2NSiKxdNMjt97zgHZqPypz7yuK4us56tyd+5PXduinmvKMoHBkWcNwdtBvkk8TL5BU1A7/t5d7MJjqJGfUrfvKRglX1xh3M/rbOnKm+0e4qWfXrTiaWKRGMMXnfPN8b1uQjLMic0VNAmXSHdwGMPPIxbw4c0kS329QPTcGVHHR2If8X/EBoCvBKowgUrK7o3bVgD2Qghi0QoSh9vLBoQbiRH5hfoaNzC4bu+Lxa4JiiOs2hSMns2z6v86nj4d1kvRbQtpqcKLR3LVC3h7/nWchLR3ImQC18xd4WlbwfLAzyt3etB21ixP2rt7M9SPBKH0ki8yjilbKJX3oEr3h1T44HTn8+gFwkuFGI19fNL94269T7/PsO/BicKLxIZModFsiSoDl2koNpYBqhnf9DVeme5xu6Slh3dzUNgLO/ugGMTpenUhiZ6AOuww8xFmHiKGwI4E7nHiUmmzfNKXvVix9sb/B5Q/TiYo42tsVSgvozFfo5H/GzB5vjqPmWsqfDoQY24I0lxls/R68qeuHFD3KcLUol5SRv5h4t6kfVpi3aRtDpXBKrhEuHgDEuLZEhfaLbFLpq0Hi4ilv8CQFHgEyYBk0yJxkfDrf9yBk42qv7i8YJcYer+reKvUMDhsCdMC4PES9FS4u5hV8XAI3/z+GZwnyPkF63mx9djOwE8e11U/TsldhR7QpXuioyjPW1ZGb15ANhGXm9RzSZrGwyuvisdE8PbS9t3AAuHrQwLDCl3r/4f2T3M3okuo9SmzJVUf6Ev7kuiFgAJmg8k2Z4NDxdqjRSvA+4S/l6LzElwM9mAJZ0gQrDhreilPeV8IfWKiIgbNuJkHr3Jd9ML/swjTCbZUqlEhUjaifo3uhMuoIFJpdgy5Ix/U9nSnJfa8nrydxV3eLsbni1dR+W8dnG+ckzNx
 R5og4Svs
 Cqx/vOvH1FSKCrqIC5V6g/ehWpfy2VzUkWP4+WrG0ygYXC9nEUswBJX9gDnxgE6DBfNYMQ84O2Yotvf2YoGYg2AyNXyDpFFdZFOFaUsBaA9pWlyHg3XwBuiW/nxizZLf9EgwqYSU5+Zi/s2q4FjTB5h+WHPa72E+ho0C703Mx726oGg17pZ/nam6GEgNsm/5aRSeFMlv2H+Hve5C/HI6+hDZaDMQhc002hwt6JoMdYj/Wt0soF6FM0ZEKv/P8L7KyJBhfaNeCJMIscvfmxfr4I+h2gpLkiST6yJm5y5vrJTuWLvRIy/Oh6MNqPuGN+Jz70fZ94e3/ohVt9gBcGmzyLiXDCB48YRrGDvpO2cQFhO3XSx4Tr5Iq0j+Z34uZq4aGVDyH8sLLAceEx8bBOBLrTl9AN7vZx40sgrajEsJixK7eXXktJCWhabPCQmaSREnSorZEy+Ny36kHYpTFv/sGqksSuvfZR0qgsBwbIru2bRM/uqW0BgvoAPrkg8G3/8dAD9W1ir3Hvz7vOFMH+btrWJRrmIlIDzY//PqmmaD2hyjaxyVx7dt1vLIlZmGh3Wdj1SYnhtSNubo3kv0PFRAPgMgLQHy4ZoLL4rZd7qnsVbE6xlN8lpP/RnoxeGNUUVBE8+4/aVk8u/HT6hYToy7AYlRM6hMk6PsK7xSsUaduoGi1K+6+jeybjH/muWK/+P+207zAXYZyvKr4vW5I4Up+zyGAEpaMj4rwP92vMG7S3jNvv+N+urO7PGW+mOPePlLtY/0U0U2+PhnvAWDdRQFUbAXseLSuZiM+DRli6tzvh+AIY1tDrVHZVcI6oO0EIjXX+LQYbs6875Q4YsQVavE8GswWRET1hP+BOrbXXlYnfEHv2CK0ERHngn0aIdwMWawx5sOv
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Feb 24, 2025 at 01:53:21PM -0800, syzbot wrote:
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e9a8cac0bf89 Merge tag 'v6.14-rc3-smb3-client-fixes' of gi..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b667f8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=61cbf5ac8a063ad4
> dashboard link: https://syzkaller.appspot.com/bug?extid=1a517ccfcbc6a7ab0f82
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/8441f1b50402/disk-e9a8cac0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/65b1f8d2f790/vmlinux-e9a8cac0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/1d6f6d8c3d6b/bzImage-e9a8cac0.xz

---8<---
Call crypto_free_acomp outside of the mutex in zswap_cpu_comp_dead
as otherwise this could dead-lock as the allocation path may lead
back into zswap while holding the same lock.  Zap the pointers to
acomp and buffer after freeing.

Also move the NULL check on acomp_ctx so that it takes place before
the mutex dereference.

Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug")
Reported-by: syzbot+1a517ccfcbc6a7ab0f82@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/mm/zswap.c b/mm/zswap.c
index 6504174fbc6a..24d36266a791 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -881,18 +881,23 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
 {
 	struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
 	struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
+	struct crypto_acomp *acomp = NULL;
+
+	if (IS_ERR_OR_NULL(acomp_ctx))
+		return 0;
 
 	mutex_lock(&acomp_ctx->mutex);
-	if (!IS_ERR_OR_NULL(acomp_ctx)) {
-		if (!IS_ERR_OR_NULL(acomp_ctx->req))
-			acomp_request_free(acomp_ctx->req);
-		acomp_ctx->req = NULL;
-		if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
-			crypto_free_acomp(acomp_ctx->acomp);
-		kfree(acomp_ctx->buffer);
-	}
+	if (!IS_ERR_OR_NULL(acomp_ctx->req))
+		acomp_request_free(acomp_ctx->req);
+	acomp_ctx->req = NULL;
+	acomp = acomp_ctx->acomp;
+	acomp_ctx->acomp = NULL;
+	kfree(acomp_ctx->buffer);
+	acomp_ctx->buffer = NULL;
 	mutex_unlock(&acomp_ctx->mutex);
 
+	crypto_free_acomp(acomp);
+
 	return 0;
 }