CVE-2025-22030: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()
In the Linux kernel, the following vulnerability has been resolved:
mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()
Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding
the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock
(through crypto_exit_scomp_ops_async()).
On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through
crypto_scomp_init_tfm()), and then allocates memory. If the allocation
results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.
The above dependencies can cause an ABBA deadlock. For example in the
following scenario:
(1) Task A running on CPU #1:
crypto_alloc_acomp_node()
Holds scomp_lock
Enters reclaim
Reads per_cpu_ptr(pool->acomp_ctx, 1)
(2) Task A is descheduled
(3) CPU #1 goes offline
zswap_cpu_comp_dead(CPU #1)
Holds per_cpu_ptr(pool->acomp_ctx, 1))
Calls crypto_free_acomp()
Waits for scomp_lock
(4) Task A running on CPU #2:
Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1
DEADLOCK
Since there is no requirement to call crypto_free_acomp() with the per-CPU
acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is
unlocked. Also move the acomp_request_free() and kfree() calls for
consistency and to avoid any potential sublte locking dependencies in the
future.
With this, only setting acomp_ctx fields to NULL occurs with the mutex
held. This is similar to how zswap_cpu_comp_prepare() only initializes
acomp_ctx fields with the mutex held, after performing all allocations
before holding the mutex.
Opportunistically, move the NULL check on acomp_ctx so that it takes place
before the mutex dereference.
Security readout for executives and security teams
Plain-English summary
CVE-2025-22030 is a Linux kernel zswap locking bug that can deadlock the system during memory reclaim and CPU offline handling. The available sources describe a reliability and availability risk, not data theft or remote code execution. Severity is not scored in the bundle, so business urgency depends on whether affected kernels and zswap-related workloads are present.
Executive priority
Handle through normal kernel patch governance unless affected systems are business-critical, heavily memory-constrained, or depend on CPU hotplug operations. There is no cited active exploitation, but a kernel deadlock can still create service interruption, so prioritize validation and vendor-supported updates over emergency response.
Technical view
The issue is an ABBA deadlock between zswap_cpu_comp_dead() holding a per-CPU acomp_ctx mutex while calling crypto_free_acomp(), and crypto_alloc_acomp_node() holding scomp_lock before memory allocation and reclaim. The fix moves crypto_free_acomp(), acomp_request_free(), and kfree() outside the mutex-held section, leaving only NULL field updates protected.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with zswap code paths reachable, especially where CPU offline events and memory reclaim can interact. The bundle lists affected Linux versions including 6.13, 6.12.23, 6.13.11, 6.14.2, and 6.15, but distribution backport status must be verified separately.
Exploitation context
The provided sources do not show active exploitation, public exploit availability, or KEV listing. The described scenario is a kernel deadlock condition requiring specific timing around allocation, reclaim, zswap compression context locking, and CPU offline handling. Treat it primarily as an availability risk until vendor scoring or exploitation evidence says otherwise.
Researcher notes
The source record is unusually sparse: no CVSS, no CWE, and no explicit threat model beyond the locking scenario. The strongest evidence is the kernel fix rationale. Research should focus on affected kernel lineage, distro backports, zswap enablement, and whether CPU hotplug plus reclaim is plausible in monitored environments.
Mitigation direction
Check your Linux distribution advisory for fixed kernel packages or backports.
Update affected kernels to vendor-supported builds containing the stable zswap fix.
Prioritize systems using zswap, memory pressure, or CPU hotplug/offline workflows.
If patching is delayed, follow vendor guidance for zswap-related risk reduction.
Track kernel stable commit inclusion across fleet kernel versions.
Validation and detection
Inventory kernel versions across Linux hosts and compare against vendor fixed builds.
Check whether zswap is enabled or operationally relied upon on each host class.
Review uptime, kernel logs, and monitoring for unexplained hangs under memory pressure.
Confirm patched kernels include one of the referenced stable fixes or downstream backport.
Retest representative workloads involving memory pressure after kernel updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-22030 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
5Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 16, 2025, 14:11 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.