From nobody Mon Jun 8 22:55:05 2026 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C45730569D for ; Tue, 26 May 2026 02:28:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779762483; cv=none; b=L2sKnTZ4Sxqpxb6wqfL54/oAdnAPq2mNAN7A5qTNTpdx7AatejwJNrDBFKUuu5eDwoIMDYOy0ivZaGkUDJf4X4aCnQCj2QQLB449RvqBs3g1RIa3oQhHF/X9/ghlmnupToosLr7s9/bjX7TfUk+Vef4O14JxuKDO5JraB5HXUQ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779762483; c=relaxed/simple; bh=5MHw6DYBQz6ZOyURKZYR0RsFLDgPYYerKaSMu9zqS8Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W3RGej/52ghZf004jc3Xcso87oD1X6GvXZwuu+Y/jPivWM1oRykCMPto3oY5fpfQwRzndfGZhXmy7DV1838yxQQUuSpbblW7DNgRccReWP3C8W6+HZGceQ1GSFNp3ANSwbvPfcxdOFNjRcI04MlGOFVOCJZo/0dafZHee50JR9Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=XwWOnKPj; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="XwWOnKPj" Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-8353fd1cb5fso4960651b3a.0 for ; Mon, 25 May 2026 19:28:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1779762482; x=1780367282; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GGU83YAf58KGj2CfXChUMVQTLfhhPsfO7RKZqCKQfck=; b=XwWOnKPj+Yfh8uzx8QGNBG8VsUlAZVAmBAKYp/OTOrjfwYumM6gxh306eFXAukN0F2 UywDvMe9vXqMvAjg9Dhv6faBx1ysFs/RdgcaE7lG3FQCo0pjL4n484gkdK9ZhTvYgrRD dqG3avIOVl4bq6jDaZbKGIbg6sqq0Is/OGHss= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779762482; x=1780367282; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GGU83YAf58KGj2CfXChUMVQTLfhhPsfO7RKZqCKQfck=; b=i9m0bFYzsg6gqRCRMlr3rIA/t3XOYrTynUIIqCHP0y4rTmeguJfqEybdMWsIap/lSc vssJArdM/m2Jpr+iJ72ohdf8YdzsGMzkwBDR2qoI9RwRqfMt5gzUL5kJ+7U+fW+GqdP8 Rj12Uo0eEv/1aXrli51t/TRT1DMjGm5i2/uFsqaEHRg1BeFk6G4qWD0uLmVCABAvHgxv N2bVrbZTgUCpBUQmqQeZpD2icnnksiTFvSvrWCXrG2P7C7IGJnUFN+xAK7WNgp9LMELa geuTScUghiH4fQVAOz1UeZ62pRqijZTJ7XnNfyoH4ClEjWVn0Q3TOzzxiiK6jWNc/8qg XPug== X-Forwarded-Encrypted: i=1; AFNElJ8mqluzfAVbyNqlaY7rkphsBJsCMJDWZvv+06t/kJgiaTSJPzREPx7Ys+sPU556GotGwIGa7NONW5GZ13E=@vger.kernel.org X-Gm-Message-State: AOJu0YybzSHt2MRgkG47IBz/r3/DdvQpElbbqIPXrC0HLudWOTpikDkj gIyHtlv/ms8EWASpPAz2ZzVbOqLtbJAZ7JCFB35URxrCW5yRp9YkRVT9zg9Xn8MqeQ== X-Gm-Gg: Acq92OG9UvZtliJgDc1y2HwPD5mORhElxczA2llntLW08vVmt+G/ENKjpALHZIZF0X8 0WSFEOBrFvrltfXkztrBFFSF2D2rzM4xdDTsaTktKv6mq+uMJljS2Fo3kfm5H5p7z3QZLDL5deF syQVMj4A99hH02x6GCC1tgdbpvnIdFwybCm3EozY0clkrfN8bOL6Lh93qs2Vc/hD54MSv5myRNG C7FnL1eIGqkQ+t2+3W2dQevawCEN319x65cgy7q2XyEU+pQTfDCBBzPcWlsh2//y/wgA+uj9ePm 9fu4oOHzSH88giqB0Of1qmLPF7KBtZoqkex/lWX5HHuwO5+gJx8ldxdk2bqQIj0LPEJWZcN13HE cvVnVr6MS9xS1nqkFA3N7mTWQjOFHedGaOs4yE9rGAgDGnqCQFekqfuQE/hEK2D4L/fFdWhTDMa /joi8azCQbOKb4G1KjpahZ836WKfDTuq+BI/jaoZ3dAmNv24BVN4dITb5uEkfflgTe8p0pc3YGY tXapgHMHbjzhA== X-Received: by 2002:aa7:914b:0:b0:829:6f7d:3086 with SMTP id d2e1a72fcca58-84160c26e7emr12021636b3a.11.1779762481867; Mon, 25 May 2026 19:28:01 -0700 (PDT) Received: from tigerii.tok.corp.google.com ([2a00:79e0:2031:6:890b:1e07:dd0a:52d0]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164af0506sm10796944b3a.16.2026.05.25.19.28.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 19:28:01 -0700 (PDT) From: Sergey Senozhatsky To: Andrew Morton , Brian Geffon Cc: Minchan Kim , Richard Chang , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Sergey Senozhatsky Subject: [PATCHv2 1/2] zram: do not leak blk idx at the end of writeback Date: Tue, 26 May 2026 11:27:16 +0900 Message-ID: <20260526022754.2377730-2-senozhatsky@chromium.org> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog In-Reply-To: <20260526022754.2377730-1-senozhatsky@chromium.org> References: <20260526022754.2377730-1-senozhatsky@chromium.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" zram_writeback_slots() loop can terminate with valid reserved backing device blk_idx. The problem is that cleanup code doesn't release that reserved blk_idx before zram_writeback_slots() returns, which leads to blk_idx leak (it becomes permanently busy and can not be used for actual writeback.) This does not lead to any system instabilities, it only means that we can writeback less pages. The scenario is hard to hit in practice as it requires writeabck to race with modification (slot-free or overwrite) of the final post-processing slot. Release reserved but unused blk_idx before returning from zram_writeback_slots(). Fixes: f405066a1f0db ("zram: introduce writeback bio batching") Suggested-by: Brian Geffon Signed-off-by: Sergey Senozhatsky --- drivers/block/zram/zram_drv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 07111455eecf..602abfe23797 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1127,6 +1127,9 @@ static int zram_writeback_slots(struct zram *zram, if (req) release_wb_req(req); =20 + if (blk_idx !=3D INVALID_BDEV_BLOCK) + zram_release_bdev_block(zram, blk_idx); + while (atomic_read(&wb_ctl->num_inflight) > 0) { wait_event(wb_ctl->done_wait, !list_empty(&wb_ctl->done_reqs)); err =3D zram_complete_done_reqs(zram, wb_ctl); --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 22:55:05 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B207307AC7 for ; Tue, 26 May 2026 02:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779762485; cv=none; b=WE1EkH9D1pgGTMt6lkGfeJ9PFKORKHEWf5wu6aI94Ws2YTCKF+9ZdW8NWvSYyW/44kzsbATz+/KozENA+8GF3mgLVTaukOQ0pnkzp+CAzfaJVD4O92wVj4UVAjbcJzasmFE/l1aYyJNcIr2N04VhObFFzHXpE8obO643LzYnpRo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779762485; c=relaxed/simple; bh=v47qeD4COW7V68zhtP0cgZAZHf3wH0PFJ31b4XfRku8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VWC4MoZLXxhb52IL3Ll8iJFYCZg+AOWMgESbyWp8mBpW13/Jis4Li93a65x5zDEn0OpdLpF3jsuTJuIT4v1mGSSZU66OLWWS9VtTuaKQ/Uf8sNo8QBTS5rE24cFdQx/WtH2zcP3HwdCQZpft9U6CwljjD8syx+DzaAINEERV0Ik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=kwbJqiRO; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="kwbJqiRO" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-82f8b60e54dso8084689b3a.2 for ; Mon, 25 May 2026 19:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1779762483; x=1780367283; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CYXZ6C8EqKm0mvgEIiCf843XZTeR4+aUZQZ+oO/GKNg=; b=kwbJqiROwgSU5kqTYb1qtZ0UEliM9kqchTAFb3hC/fKjuyALyIJ6y7/XsY4gc1aj6X Hi/O6mZ4SxovywL8p8cy3DhkEz+QgC/h8OutyZiebEmmY4x1jLptBk9vZ3ZG1+Jnd5Hl nrSyiTYsVZEOot54lAC9taP6Ow7+LKeOsHYW8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779762483; x=1780367283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=CYXZ6C8EqKm0mvgEIiCf843XZTeR4+aUZQZ+oO/GKNg=; b=CyhD2eyOKWxe1Yhj/XLHF/dUi1t63trMMKd2wGq4AV1USkzxUyyfIe1b8rV7I/hIQF smoq/4S9liQLGGPESa9VrYx8dmf9fdYUfOt5j+hAo5siLfmJQXEh8PCc1qqS5u/2M30T +jesGQX53txl6RJAzcW7gQUl9q2UUg1JLUiPPCVuwZCjcUN6IM2K33GKli98kZXw0X5X v+mmEHjMQy6lkwgcS9qWtvatKk/Im32xNwTDhvPpSRQO9fT54VaL5+7a0gES9zozQLp4 Q33p9ih1S0e8dG131GgAThHqmSntSl5t7oQIVDWET8b1dobSAxel8dLtCCE2jVlBAnKl BGyQ== X-Forwarded-Encrypted: i=1; AFNElJ8UqXhWbhH1YtU0EgxhwCKgHfu1SE/poSLaOYGb1Xnzr8qTCmTZWmclIQ9IRK/Looi8+g1FKs8AjBtftyM=@vger.kernel.org X-Gm-Message-State: AOJu0YxH69n1ayKV7o7nTFb7CD2vXtV2PWfp9jc7RZV4h4Q7pyGxYN4V NXRdwf997q7cYYpALDGTNZAYBdhlV/701Qr6Uhp2xDDxSpAgulNIDLjhi55iA6eIVQ== X-Gm-Gg: Acq92OGbODKJN0PJ7Yin8R4AzBFBn1Ly2sCHwou60WT79vjNsUuPnerMmWSmSS8A25f iMl42MsRVt77MvsD7ArNbUSk3+J7snkiEHhL4NoD8BQV/W3X5n62dyo3CYIfwM68Dzloy4xXkOl YEG4UeiUjNrNLNCZL9+cEqrAgglXRrtpmOCej5mVRIk2zVNiIVhg11ghUOR9VoRJjaaZRE1b/Jo pm/HdzenkwYyn/qCH9hVC3kjdnTlvqJn7exzaAAfRMj7v0S2dLFLRcugxUz2wtb5kQpckL7Ah29 n4WKHtnVqD7y1ITbB4dAfDX5M7wUX5pM36GsrkxZdARp3EYYbWz1vX1lrgMy2X/yIeO8LkBVd9j BZRjC6DwygAG1k82S08q6NseoE+sajVvrrxiY5xh/Mc+XnKulC2aJbpSNJ74bO6Dbih2u0csooq U77kZdHu5q8OdSSnveJ7YR03DdK0KqnR45SRoV9U20r3IZGTNh64KqGUDQw8w/Llvy47iOEUEHo MPSZX2gYJzNYA== X-Received: by 2002:a05:6a00:a228:b0:823:1c5f:1c43 with SMTP id d2e1a72fcca58-8415f37d473mr16926406b3a.36.1779762483514; Mon, 25 May 2026 19:28:03 -0700 (PDT) Received: from tigerii.tok.corp.google.com ([2a00:79e0:2031:6:890b:1e07:dd0a:52d0]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164af0506sm10796944b3a.16.2026.05.25.19.28.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 19:28:03 -0700 (PDT) From: Sergey Senozhatsky To: Andrew Morton , Brian Geffon Cc: Minchan Kim , Richard Chang , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Sergey Senozhatsky Subject: [PATCHv2 2/2] zram: clear trailing bytes of compressed writeback pages Date: Tue, 26 May 2026 11:27:17 +0900 Message-ID: <20260526022754.2377730-3-senozhatsky@chromium.org> X-Mailer: git-send-email 2.54.0.746.g67dd491aae-goog In-Reply-To: <20260526022754.2377730-1-senozhatsky@chromium.org> References: <20260526022754.2377730-1-senozhatsky@chromium.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When compressed writeback is available writtenback pages contain "garbage" in PAGE_SIZE - obj_size trailing bytes. That "garbage" is, basically, whatever data that page held before we got it for writeback. To get advantage of it an attacker needs to be able to read from active backing swap device, which is already catastrophic. Still, just in case, zero out those trailing bytes before writeback to a backing device so that we only store swap-ed out data there. Fixes: d38fab605c66 ("zram: introduce compressed data writeback") Suggested-by: Brian Geffon Signed-off-by: Sergey Senozhatsky --- drivers/block/zram/zram_drv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 602abfe23797..7917fc7a2a29 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2134,6 +2134,8 @@ static int read_from_zspool_raw(struct zram *zram, st= ruct page *page, u32 index) zs_obj_read_end(zram->mem_pool, handle, size, src); zcomp_stream_put(zstrm); =20 + memzero_page(page, size, PAGE_SIZE - size); + return 0; } #endif --=20 2.54.0.746.g67dd491aae-goog