crypto: zstd - fix double-free in per-CPU stream cleanup

gcabiddu · herbertx · commit 48bc9da3c97c · 2025-12-01T18:05:07.000+08:00
The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This leads to a stack trace similar to: BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ... Change the lifecycle management of zstd_streams to free the streams only once during module cleanup. Fixes: f5ad93f ("crypto: zstd - convert to acomp") Cc: stable@vger.kernel.org Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/crypto/zstd.c b/crypto/zstd.c
@@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp *acomp_tfm)
 	return ret;
 }
 
-static void zstd_exit(struct crypto_acomp *acomp_tfm)
-{
-	crypto_acomp_free_streams(&zstd_streams);
-}
-
 static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
 			     const void *src, void *dst, unsigned int *dlen)
 {
@@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {
 		.cra_module = THIS_MODULE,
 	},
 	.init = zstd_init,
-	.exit = zstd_exit,
 	.compress = zstd_compress,
 	.decompress = zstd_decompress,
 };
@@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)
 static void __exit zstd_mod_fini(void)
 {
 	crypto_unregister_acomp(&zstd_acomp);
+	crypto_acomp_free_streams(&zstd_streams);
 }
 
 module_init(zstd_mod_init);

Original file line number	Diff line number	Diff line change
`@@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp *acomp_tfm)`
`75`	`75`	`return ret;`
`76`	`76`	`}`
`77`	`77`
`78`		`-static void zstd_exit(struct crypto_acomp *acomp_tfm)`
`79`		`-{`
`80`		`- crypto_acomp_free_streams(&zstd_streams);`
`81`		`-}`
`82`		`-`
`83`	`78`	`static int zstd_compress_one(struct acomp_req req, struct zstd_ctx ctx,`
`84`	`79`	`const void src, void dst, unsigned int *dlen)`
`85`	`80`	`{`
`@@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = {`
`297`	`292`	`.cra_module = THIS_MODULE,`
`298`	`293`	`},`
`299`	`294`	`.init = zstd_init,`
`300`		`- .exit = zstd_exit,`
`301`	`295`	`.compress = zstd_compress,`
`302`	`296`	`.decompress = zstd_decompress,`
`303`	`297`	`};`
`@@ -310,6 +304,7 @@ static int __init zstd_mod_init(void)`
`310`	`304`	`static void __exit zstd_mod_fini(void)`
`311`	`305`	`{`
`312`	`306`	`crypto_unregister_acomp(&zstd_acomp);`
	`307`	`+ crypto_acomp_free_streams(&zstd_streams);`
`313`	`308`	`}`
`314`	`309`
`315`	`310`	`module_init(zstd_mod_init);`