2401425 – (CVE-2025-39941) CVE-2025-39941 kernel: zram: fix slot write race condition

Bug 2401425 (CVE-2025-39941) - CVE-2025-39941 kernel: zram: fix slot write race condition

Summary: CVE-2025-39941 kernel: zram: fix slot write race condition

Keywords:
Status:	NEW
Alias:	CVE-2025-39941
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-04 08:02 UTC by OSIDB Bzimport
Modified:	2025-10-06 18:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-04 08:02:38 UTC

In the Linux kernel, the following vulnerability has been resolved:

zram: fix slot write race condition

Parallel concurrent writes to the same zram index result in leaked
zsmalloc handles.  Schematically we can have something like this:

CPU0                              CPU1
zram_slot_lock()
zs_free(handle)
zram_slot_lock()
				zram_slot_lock()
				zs_free(handle)
				zram_slot_lock()

compress			compress
handle = zs_malloc()		handle = zs_malloc()
zram_slot_lock
zram_set_handle(handle)
zram_slot_lock
				zram_slot_lock
				zram_set_handle(handle)
				zram_slot_lock

Either CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done
too early.  In fact, we need to reset zram entry right before we set its
new handle, all under the same slot lock scope.

Comment 1 Jon Moroney 2025-10-06 15:49:27 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100418-CVE-2025-39941-f256@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.