Re: [PATCH] xfrm: Don't increase scratch users if allocation fails
From: Khalid Masum
Date: Wed Aug 31 2022 - 08:02:08 EST
On 8/31/22 15:13, Herbert Xu wrote:
On Wed, Aug 31, 2022 at 07:41:26AM +0600, Khalid Masum wrote:
ipcomp_alloc_scratches() routine increases ipcomp_scratch_users count
even if it fails to allocate memory. Therefore, ipcomp_free_scratches()
routine, when triggered, tries to vfree() non existent percpu
ipcomp_scratches.
To fix this breakage, do not increase scratch users count if
ipcomp_alloc_scratches() fails to allocate scratches.
Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Khalid Masum <khalid.masum.92@xxxxxxxxx>
---
net/xfrm/xfrm_ipcomp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index cb40ff0ff28d..af9097983139 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -210,13 +210,15 @@ static void * __percpu *ipcomp_alloc_scratches(void)
void * __percpu *scratches;
int i;
- if (ipcomp_scratch_users++)
+ if (ipcomp_scratch_users) {
+ ipcomp_scratch_users++;
return ipcomp_scratches;
-
+ }
scratches = alloc_percpu(void *);
if (!scratches)
return NULL;
+ ipcomp_scratch_users++;
ipcomp_scratches = scratches;
This patch is broken because on error we will always call
ipcomp_free_scratches which frees any partially allocated memory
and restores ipcomp_scratch_users to zero.
With this patch ipcomp_scratch_users will turn negative on error.
Cheers,
Thanks for the review. I think it can be fixed by assigning NULL in
ipcomp_scratches when the allocation fails as ipcomp_free_scratches
checks for it. I shall follow this email with a v2 shortly.
thanks,
-- Khalid Masum