Re: zram: Regression in at least linux-6.1.y tree - Linux-stable-mirror

7 Jan 2025


      Somehow I missed this on my first search through lore.kernel.org, but this appears to be the same issue:
    https://lore.kernel.org/stable/Z3ytcILx4S1v_ueJ@codewreck.org/T/#u
Thanks,
--
Kenneth Van Alstyne, Jr.
...
On Jan 7, 2025, at 15:48, Kenneth Van Alstyne kvanals@kvanals.org wrote:
Greetings and apologies if this isn't the proper process for reporting an issue in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html.  Happy to follow another process if more appropriate.
Kernel 6.1.122 introduced a regression via commit ac3b5366b9b7c9d97b606532ceab43d2329a22f3 (backport of upstream commit 74363ec674cb172d8856de25776c8f3103f05e2f) in drivers/block/zram/zram_drv.c where attempting to set the size of /dev/zram0 after loading the zram kernel module results in a kernel NULL pointer dereference.
That patch removed the following block from zram_reset_device():

if (!init_done(zram)) {
up_write(&zram->init_lock);
return;
}

However, without that, zram_reset_device subsequently calls zcomp_destroy on a device that has not been initialized, leading to the OOPS.  Adding that block back does resolve the issue.  In addition, the latest mainline kernel does not appear to exhibit these symptoms, but zram_drv.c seems to have been changed fairly substantially since kernel 6.1.
Steps to reproduce:
modprobe zram
zramctl /dev/zram0 --algorithm zstd --size 83886080k
Kernel log:
[  184.410082] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  184.416305] #PF: supervisor read access in kernel mode
[  184.418201] #PF: error_code(0x0000) - not-present page
[  184.418201] PGD 170d0b067 P4D 170d0b067 PUD 1718af067 PMD 0 
[  184.418201] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  184.418201] CPU: 2 PID: 3584 Comm: zramctl Tainted: G           O  K    6.1.122 #1
[  184.418201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[  184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
[  184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
[  184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
[  184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
[  184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
[  184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[  184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
[  184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
[  184.418201] FS:  00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
[  184.418201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
[  184.418201] Call Trace:
[  184.418201]  <TASK>
[  184.418201]  ? __die_body+0x1a/0x60
[  184.418201]  ? page_fault_oops+0xae/0x260
[  184.418201]  ? exc_page_fault+0x67/0x140
[  184.418201]  ? asm_exc_page_fault+0x22/0x30
[  184.418201]  ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[  184.418201]  ? zcomp_cpu_dead+0x7/0x30 [zram]
[  184.418201]  ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[  184.418201]  cpuhp_invoke_callback+0xb4/0x4c0
[  184.418201]  ? zcomp_cpu_up_prepare+0x90/0x90 [zram]
[  184.418201]  cpuhp_issue_call+0xeb/0x140
[  184.418201]  __cpuhp_state_remove_instance+0xdb/0x1a0
[  184.418201]  zcomp_destroy+0x1c/0x30 [zram]
[  184.418201]  zram_reset_device+0xf3/0x120 [zram]
[  184.418201]  reset_store+0x9d/0x100 [zram]
[  184.418201]  kernfs_fop_write_iter+0x11e/0x1b0
[  184.418201]  vfs_write+0x2ae/0x3c0
[  184.418201]  ksys_write+0x5c/0xe0
[  184.418201]  do_syscall_64+0x32/0x80
[  184.552119] python3 (3612) used greatest stack depth: 11736 bytes left
[  184.418201]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  184.418201] RIP: 0033:0x7fa6d2506d00
[  184.418201] Code: 40 00 48 8b 15 29 91 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb af 0f 1f 00 80 3d e1 18 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55
[  184.418201] RSP: 002b:00007ffec8315ec8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[  184.418201] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fa6d2506d00
[  184.418201] RDX: 0000000000000001 RSI: 00007ffec8315ee0 RDI: 0000000000000003
[  184.418201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
[  184.418201] R10: 0000000000000004 R11: 0000000000000202 R12: 00007fa6d240d6c0
[  184.418201] R13: 00007ffec8315ee0 R14: 0000000000000003 R15: 00007ffec8315ed0
[  184.418201]  </TASK>
[  184.418201] Modules linked in: zram zsmalloc bcache crc64 ip6table_filter ip6_tables iptable_filter xt_conntrack iptable_mangle xt_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_tables x_tables vfat fat btrfs blake2b_generic xor raid6_pq libcrc32c dm_multipath dm_mod bridge stp llc bonding nfs lockd grace sunrpc fscache torch(O) ipmi_devintf ipmi_msghandler sr_mod kvm_amd mousedev cdrom virtio_blk kvm ata_generic pata_acpi irqbypass crc32c_intel aesni_intel ata_piix crypto_simd virtio_pci virtio_pci_legacy_dev psmouse virtio_pci_modern_dev i6300esb e1000 libata cryptd i2c_piix4 evdev procmemro(OK) noptrace(OK)
[  184.418201] CR2: 0000000000000000
[  184.418201] ---[ end trace 0000000000000000 ]---
[  184.418201] RIP: 0010:zcomp_cpu_dead+0x7/0x30 [zram]
[  184.418201] Code: c7 d8 56 a9 c0 e8 63 f3 92 ed b8 f4 ff ff ff 5b e9 fe 10 d7 ed 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 0f 1f 44 00 00 89 ff <48> 8b 46 f0 48 03 04 fd c0 47 e7 ae 48 89 c7 48 8d 70 08 e8 11 fd
[  184.418201] RSP: 0018:ffffaf9400a5fd28 EFLAGS: 00010246
[  184.418201] RAX: ffffffffc0a912d0 RBX: ffff89adefa1b2e0 RCX: 0000000000000010
[  184.418201] RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000000
[  184.418201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[  184.418201] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000aa0
[  184.418201] R13: 0000000000000000 R14: 0000000000000010 R15: ffff89aac0cb2e20
[  184.418201] FS:  00007fa6d240d740(0000) GS:ffff89adefa80000(0000) knlGS:0000000000000000
[  184.418201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  184.418201] CR2: 0000000000000000 CR3: 0000000171fd4000 CR4: 00000000003506e0
[  184.418201] Kernel panic - not syncing: Fatal exception
[  184.418201] Kernel Offset: 0x2c800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  184.418201] Rebooting in 120 seconds..
Thanks,
--
Kenneth Van Alstyne, Jr.