CVE-2025-21860

In the Linux kernel, the following vulnerability has been resolved:

mm/zswap: fix inconsistency when zswapstorepage() fails

Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswap entries when it failed to zswap the entire folio.

However, when some base pages are zswapped but it failed to zswap the entire folio, the zswap operation is rolled back. When freeing zswap entries for those pages, zswapentryfree() uncharges the zswap entries that were not previously charged, causing zswap charging to become inconsistent.

This inconsistency triggers two warnings with following steps: # On a machine with 64GiB of RAM and 36GiB of zswap $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng $ sudo reboot

The two warnings are: in mm/memcontrol.c:163, function objcgrouprelease(): WARNONONCE(nrbytes & (PAGESIZE - 1));

in mm/page_counter.c:60, function page_counter_cancel():
  if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n",
  new, nr_pages))

zswapstoredpages also becomes inconsistent in the same way.

As suggested by Kanchana, increment zswapstoredpages and charge zswap entries within zswapstorepage() when it succeeds. This way, zswapentryfree() will decrement the counter and uncharge the entries when it failed to zswap the entire folio.

While this could potentially be optimized by batching objcg charging and incrementing the counter, let's focus on fixing the bug this time and leave the optimization for later after some evaluation.

After resolving the inconsistency, the warnings disappear.

[42.hyeyoo@gmail.com: refactor zswapstorepage()]