zram: fix use-after-free in zram_writeback_endio by blktests-ci[bot] · Pull Request #795 · linux-blktests/linux-block

A crash was observed in zram_writeback_endio due to a NULL pointer dereference in wake_up. The root cause is a race condition between the bio completion handler (zram_writeback_endio) and the writeback task. In zram_writeback_endio, wake_up() is called on &wb_ctl->done_wait after releasing wb_ctl->done_lock. This creates a race window where the writeback task can see num_inflight become 0, return, and free wb_ctl before zram_writeback_endio calls wake_up(). CPU 0 (zram_writeback_endio) CPU 1 (writeback_store) ============================ ============================ zram_writeback_slots zram_submit_wb_request zram_submit_wb_request wait_event(wb_ctl->done_wait) spin_lock(&wb_ctl->done_lock); list_add(&req->entry, &wb_ctl->done_reqs); spin_unlock(&wb_ctl->done_lock); wake_up(&wb_ctl->done_wait); zram_complete_done_reqs spin_lock(&wb_ctl->done_lock); list_add(&req->entry, &wb_ctl->done_reqs); spin_unlock(&wb_ctl->done_lock); while (num_inflight) > 0) spin_lock(&wb_ctl->done_lock); list_del(&req->entry); spin_unlock(&wb_ctl->done_lock); // num_inflight becomes 0 atomic_dec(num_inflight); // Leave zram_writeback_slots // Free wb_ctl release_wb_ctl(wb_ctl); // UAF crash! wake_up(&wb_ctl->done_wait); This patch fixes this race by using RCU. By protecting wb_ctl with rcu_read_lock() in zram_writeback_endio and using kfree_rcu() to free it, we ensure that wb_ctl remains valid during the execution of zram_writeback_endio. Fixes: f405066 ("zram: introduce writeback bio batching") Cc: stable@vger.kernel.org Suggested-by: Sergey Senozhatsky <senozhatsky@chromium.org> Suggested-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Richard Chang <richardycc@google.com> Signed-off-by: wang wei <a929244872@163.com>

blktests-ci Bot added new V1 linus-master labels May 4, 2026

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from f19d9fa to 75e4f5b Compare May 5, 2026 03:46

blktests-ci Bot force-pushed the linus-master_base branch from 6f75bd1 to 1f0d33a Compare May 5, 2026 15:39

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 75e4f5b to 552b1f8 Compare May 5, 2026 15:56

blktests-ci Bot added V2 and removed V1 labels May 8, 2026

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 552b1f8 to 7ef25b0 Compare May 8, 2026 08:57

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 7ef25b0 to 92785ab Compare May 8, 2026 21:49

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 92785ab to 739a0e7 Compare May 9, 2026 02:44

blktests-ci Bot force-pushed the linus-master_base branch from 1f0d33a to b1870f6 Compare May 10, 2026 15:59

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 739a0e7 to 1622a88 Compare May 10, 2026 16:09

blktests-ci Bot added V3 and removed V2 labels May 12, 2026

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 1622a88 to 36cc32f Compare May 12, 2026 08:09

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 36cc32f to b6e24f3 Compare May 13, 2026 14:14

blktests-ci Bot force-pushed the linus-master_base branch from b1870f6 to ca57796 Compare May 15, 2026 07:55

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from b6e24f3 to 651faf4 Compare May 15, 2026 08:07

blktests-ci Bot force-pushed the linus-master_base branch from ca57796 to c1feb59 Compare May 21, 2026 02:54

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 651faf4 to 3d43e2c Compare May 21, 2026 03:31

blktests-ci Bot force-pushed the linus-master_base branch from c1feb59 to ea833a1 Compare May 22, 2026 01:53

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 3d43e2c to 2bf16c1 Compare May 22, 2026 02:28

blktests-ci Bot force-pushed the linus-master_base branch from ea833a1 to 7af85d1 Compare May 23, 2026 06:11

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 2bf16c1 to 597f8c7 Compare May 23, 2026 07:24

blktests-ci Bot force-pushed the linus-master_base branch from 7af85d1 to de94ac7 Compare May 23, 2026 17:08

blktests-ci Bot force-pushed the series/1089254=>linus-master branch from 597f8c7 to 3e7e043 Compare May 23, 2026 17:54

Conversation

blktests-ci Bot commented May 4, 2026

Uh oh!

blktests-ci Bot commented May 4, 2026

Uh oh!

blktests-ci Bot commented May 5, 2026

Uh oh!

blktests-ci Bot commented May 5, 2026

Uh oh!

blktests-ci Bot commented May 8, 2026

Uh oh!

blktests-ci Bot commented May 8, 2026

Uh oh!

blktests-ci Bot commented May 9, 2026

Uh oh!

blktests-ci Bot commented May 10, 2026

Uh oh!

blktests-ci Bot commented May 12, 2026

Uh oh!

blktests-ci Bot commented May 13, 2026

Uh oh!

blktests-ci Bot commented May 15, 2026

Uh oh!

blktests-ci Bot commented May 21, 2026

Uh oh!

blktests-ci Bot commented May 22, 2026

Uh oh!

blktests-ci Bot commented May 23, 2026

Uh oh!

blktests-ci Bot commented May 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants