CVE-2025-68262

In the Linux kernel, the following vulnerability has been resolved:

crypto: zstd - fix double-free in per-CPU stream cleanup

The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed.

The issue happens because zstdstreams (per-CPU contexts) are freed in zstdexit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free.

This leads to a stack trace similar to:

BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) pagetype: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entiremapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfsworkhelper Call Trace: <TASK> dumpstacklvl+0x5d/0x80 badpage+0x71/0xd0 freeunrefpageprepare+0x24e/0x490 freeunrefpage+0x60/0x170 cryptoacompfreestreams+0x5d/0xc0 cryptoacompexittfm+0x23/0x50 cryptodestroytfm+0x60/0xc0 ...

Change the lifecycle management of zstd_streams to free the streams only once during module cleanup.