CVE-2025-22030
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22030
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22030.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-22030
- Downstream
- Related
- Published
- 2025-04-16T14:11:50Z
- Modified
- 2025-10-15T01:42:10.630681Z
- Summary
- mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm: zswap: fix cryptofreeacomp() deadlock in zswapcpucomp_dead()
Currently, zswapcpucompdead() calls cryptofreeacomp() while holding the per-CPU acompctx mutex. cryptofreeacomp() then holds scomplock (through cryptoexitscompops_async()).
On the other hand, cryptoallocacompnode() holds the scomplock (through cryptoscompinittfm()), and then allocates memory. If the allocation results in reclaim, we may attempt to hold the per-CPU acompctx mutex.
The above dependencies can cause an ABBA deadlock. For example in the following scenario:
(1) Task A running on CPU #1: cryptoallocacompnode() Holds scomplock Enters reclaim Reads percpuptr(pool->acomp_ctx, 1)
(2) Task A is descheduled
(3) CPU #1 goes offline zswapcpucompdead(CPU #1) Holds percpuptr(pool->acompctx, 1)) Calls cryptofreeacomp() Waits for scomp_lock
(4) Task A running on CPU #2: Waits for percpuptr(pool->acomp_ctx, 1) // Read on CPU #1 DEADLOCK
Since there is no requirement to call cryptofreeacomp() with the per-CPU acompctx mutex held in zswapcpucompdead(), move it after the mutex is unlocked. Also move the acomprequestfree() and kfree() calls for consistency and to avoid any potential sublte locking dependencies in the future.
With this, only setting acompctx fields to NULL occurs with the mutex held. This is similar to how zswapcpucompprepare() only initializes acomp_ctx fields with the mutex held, after performing all allocations before holding the mutex.
Opportunistically, move the NULL check on acomp_ctx so that it takes place before the mutex dereference.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/717d9c35deff6c33235693171bacbb03e9643fa4
- https://git.kernel.org/stable/c/747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
- https://git.kernel.org/stable/c/a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
- https://git.kernel.org/stable/c/c11bcbc0a517acf69282c8225059b2a8ac5fe628
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1Fixed747e3eec1d7d124ea90ed3d7b85369df8b4e36d2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12dcb0ef540629a281533f9dedc1b6b8e14cfb65Fixeda8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12dcb0ef540629a281533f9dedc1b6b8e14cfb65Fixed717d9c35deff6c33235693171bacbb03e9643fa4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced12dcb0ef540629a281533f9dedc1b6b8e14cfb65Fixedc11bcbc0a517acf69282c8225059b2a8ac5fe628
Affected versions
v6.*
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.20
v6.12.21
v6.12.22
v6.13
v6.13-rc7
v6.13.1
v6.13.10
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2025-22030-659a08f0",
"signature_type": "Line",
"target": {
"file": "mm/zswap.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@747e3eec1d7d124ea90ed3d7b85369df8b4e36d2",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323008219145937052307877929948411293547",
"323462173153497076137248653783657313908",
"151687585799265545186128754700838005082",
"274520126541952884210542509192767994257",
"27875431340436929977539945701457368661",
"314575028467981014631221896438895933696",
"221243219052565662332039568274484444073",
"154128268021785898807898215842225396242",
"169042038168949582984777545781180009425",
"128322337997667092732021343665126234476",
"21575227163180023501570102093045219405",
"139787157629216631692696683475927136146",
"19805530592950535225541623404634711479",
"184709883413331272718172036399188218913"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-7ffe886a",
"signature_type": "Function",
"target": {
"file": "mm/zswap.c",
"function": "zswap_cpu_comp_dead"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@717d9c35deff6c33235693171bacbb03e9643fa4",
"digest": {
"function_hash": "284926331846220598011350313426294947463",
"length": 466.0
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-896bc41f",
"signature_type": "Function",
"target": {
"file": "mm/zswap.c",
"function": "zswap_cpu_comp_dead"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c11bcbc0a517acf69282c8225059b2a8ac5fe628",
"digest": {
"function_hash": "284926331846220598011350313426294947463",
"length": 466.0
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-a7593a71",
"signature_type": "Line",
"target": {
"file": "mm/zswap.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323008219145937052307877929948411293547",
"323462173153497076137248653783657313908",
"151687585799265545186128754700838005082",
"274520126541952884210542509192767994257",
"27875431340436929977539945701457368661",
"314575028467981014631221896438895933696",
"221243219052565662332039568274484444073",
"154128268021785898807898215842225396242",
"169042038168949582984777545781180009425",
"128322337997667092732021343665126234476",
"21575227163180023501570102093045219405",
"139787157629216631692696683475927136146",
"19805530592950535225541623404634711479",
"184709883413331272718172036399188218913"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-adbcd2b5",
"signature_type": "Line",
"target": {
"file": "mm/zswap.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c11bcbc0a517acf69282c8225059b2a8ac5fe628",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323008219145937052307877929948411293547",
"323462173153497076137248653783657313908",
"151687585799265545186128754700838005082",
"274520126541952884210542509192767994257",
"27875431340436929977539945701457368661",
"314575028467981014631221896438895933696",
"221243219052565662332039568274484444073",
"154128268021785898807898215842225396242",
"169042038168949582984777545781180009425",
"128322337997667092732021343665126234476",
"21575227163180023501570102093045219405",
"139787157629216631692696683475927136146",
"19805530592950535225541623404634711479",
"184709883413331272718172036399188218913"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-c52e586b",
"signature_type": "Line",
"target": {
"file": "mm/zswap.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@717d9c35deff6c33235693171bacbb03e9643fa4",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323008219145937052307877929948411293547",
"323462173153497076137248653783657313908",
"151687585799265545186128754700838005082",
"274520126541952884210542509192767994257",
"27875431340436929977539945701457368661",
"314575028467981014631221896438895933696",
"221243219052565662332039568274484444073",
"154128268021785898807898215842225396242",
"169042038168949582984777545781180009425",
"128322337997667092732021343665126234476",
"21575227163180023501570102093045219405",
"139787157629216631692696683475927136146",
"19805530592950535225541623404634711479",
"184709883413331272718172036399188218913"
]
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-c5a9d87f",
"signature_type": "Function",
"target": {
"file": "mm/zswap.c",
"function": "zswap_cpu_comp_dead"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@747e3eec1d7d124ea90ed3d7b85369df8b4e36d2",
"digest": {
"function_hash": "284926331846220598011350313426294947463",
"length": 466.0
},
"deprecated": false,
"signature_version": "v1"
},
{
"id": "CVE-2025-22030-d1189b8b",
"signature_type": "Function",
"target": {
"file": "mm/zswap.c",
"function": "zswap_cpu_comp_dead"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96",
"digest": {
"function_hash": "284926331846220598011350313426294947463",
"length": 466.0
},
"deprecated": false,
"signature_version": "v1"
}
]
}