[PATCH 1/3] zram: fix zstd dict use-after-free on per-CPU error path

Next message: Haoqin Huang: "[PATCH 2/3] zram: add per-backend capability flags and validate parameters early"
Previous message: Qi Zheng: "Re: [PATCH v3] mm: mglru: fix stale batch updates after memcg reparenting"
Next in thread: Haoqin Huang: "[PATCH 2/3] zram: add per-backend capability flags and validate parameters early"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Haoqin Huang

Date: Sat Jun 27 2026 - 03:03:33 EST

From: Haoqin Huang <haoqinhuang@xxxxxxxxxxx>

zstd_setup_params() creates global cdict and ddict stored in
params->drv_data, shared across all per-CPU contexts. When a
per-CPU zstd_create() failed, its error path called
zstd_release_params() which freed those shared objects while
other per-CPU contexts might already hold references to them.

Remove the premature zstd_release_params() from the per-CPU
error path, the global cdict/ddict are properly released later
by zstd_release_params(), called from zcomp_init()'s cleanup
or from zcomp_destroy().

Fixes: 6a559ecd6e7e ("zram: add dictionary support to zstd backend")
Signed-off-by: Haoqin Huang <haoqinhuang@xxxxxxxxxxx>
Reviewed-by: Rongwei Wang <zigiwang@xxxxxxxxxxx>
---
drivers/block/zram/backend_zstd.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/block/zram/backend_zstd.c b/drivers/block/zram/backend_zstd.c
index d00b548056dc..2584f47c9b3c 100644
--- a/drivers/block/zram/backend_zstd.c
+++ b/drivers/block/zram/backend_zstd.c
@@ -161,7 +161,6 @@ static int zstd_create(struct zcomp_params *params, struct zcomp_ctx *ctx)
return 0;

error:
- zstd_release_params(params);
zstd_destroy(ctx);
return -EINVAL;
}
--
2.43.7