Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2025-12-01T10:05:07+00:00 2025-12-01T10:05:07+00:00 Giovanni Cabiddu giovanni.cabiddu@intel.com 2025-11-20T16:26:09+00:00 urn:sha1:48bc9da3c97c15f1ea24934bcb3b736acd30163d The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This leads to a stack trace similar to: BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ... Change the lifecycle management of zstd_streams to free the streams only once during module cleanup. Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp") Cc: stable@vger.kernel.org Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-11-14T10:15:49+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-11-08T14:57:07+00:00 urn:sha1:2236fc007a78b2d734cf0c236c33b722d344daa3 Use max() instead of max_t() since zstd_cstream_workspace_bound() and zstd_dstream_workspace_bound() already return size_t and casting the values is unnecessary. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-11-14T10:15:49+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-11-08T12:07:40+00:00 urn:sha1:6cf32607555da7ef99005ff0d73f3d8597cbbd04 Add the __counted_by() compiler attribute to the flexible array member 'wksp' to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Use struct_size(), which provides additional compile-time checks for structures with flexible array members (e.g., __must_be_array()), for the allocation size for a new 'zstd_ctx' while we're at it. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-10-02T07:02:44+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-09-30T08:08:34+00:00 urn:sha1:81c1a15eb4a273eabedfcc28eb6afa4b50cb8a46 Use size_t for the return value of zstd_compress_cctx as otherwise negative errors will be truncated to a positive value. Reported-by: Han Xu <han.xu@nxp.com> Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: David Sterba <dsterba@suse.com> Tested-by: Han Xu <han.xu@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-07-18T10:52:00+00:00 Eric Biggers ebiggers@kernel.org 2025-07-09T00:59:54+00:00 urn:sha1:962ddc5a7a4b04c007bba0f3e7298cda13c62efd To avoid a crash when control flow integrity is enabled, make the workspace ("stream") free function use a consistent type, and call it through a function pointer that has that same type. Fixes: 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-07-10T08:15:41+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-07-03T17:19:34+00:00 urn:sha1:25f4e1d7193d1438715bb0f05b6aa8df3f7b434f Replace the deprecated zero-length array with a modern flexible array member in the struct zstd_ctx. No functional changes intended. Link: https://github.com/KSPP/linux/issues/78 Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Kees Cook <kees@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-07-10T08:15:41+00:00 Suman Kumar Chakraborty suman.kumar.chakraborty@intel.com 2025-06-30T09:24:18+00:00 urn:sha1:03ba056e63d3b2d3774c7a8cf40f5a31b968b612 Fix the following warnings reported by the static analyzer Smatch: crypto/zstd.c:273 zstd_decompress() warn: duplicate check 'scur' (previous on line 235) Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/linux-crypto/92929e50-5650-40be-8c0a-de81e77f0acf@sabinyo.mountain/ Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-06-23T09:00:27+00:00 Suman Kumar Chakraborty suman.kumar.chakraborty@intel.com 2025-06-16T03:19:44+00:00 urn:sha1:f5ad93ffb54119a8dc5e18f070624d4ead586969 Convert the implementation to a native acomp interface using zstd streaming APIs, eliminating the need for buffer linearization. This includes: - Removal of the scomp interface in favor of acomp - Refactoring of stream allocation, initialization, and handling for both compression and decompression using Zstandard streaming APIs - Replacement of crypto_register_scomp() with crypto_register_acomp() for module registration Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T10:20:44+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-30T08:17:02+00:00 urn:sha1:ef93f1562803cd7bb8159e3abedaf7f47dce4e35 This reverts commit c4741b23059794bd99beef0f700103b0d983b3fd. Crypto API self-tests no longer run at registration time and now occur either at late_initcall or upon the first use. Therefore the premise of the above commit no longer exists. Revert it and subsequent additions of subsys_initcall and arch_initcall. Note that lib/crypto calls will stay at subsys_initcall (or rather downgraded from arch_initcall) because they may need to occur before Crypto API registration. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-03-21T09:39:06+00:00 Ard Biesheuvel ardb@kernel.org 2025-03-16T01:21:20+00:00 urn:sha1:8beb40458c213e180fad5ffe0b7207a6bc9dfe61 The 'comp' API is obsolete and will be removed, so remove this comp implementation. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>