Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp270105rwe; Wed, 31 Aug 2022 02:28:38 -0700 (PDT) X-Google-Smtp-Source: AA6agR6QPb0WLr1/Jp9Rgt979MpjJ/V2XQSrPuUa1rXQuezXKsDo6iKk+yMmWGfD6Vb581mgbO1c X-Received: by 2002:a05:6402:43c6:b0:43d:79a6:4e32 with SMTP id p6-20020a05640243c600b0043d79a64e32mr23327250edc.281.1661938118503; Wed, 31 Aug 2022 02:28:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661938118; cv=none; d=google.com; s=arc-20160816; b=LpAZQCfsOaZ7J+5AeMe6NTjClOzQ0PvcjeXp1rgFs+CPmS5qYiLh+rjl+hQR7y/gsy q2IR00iZwzqXFspQgZ5MUxbkhT/65BtLYQvHxii+cWMrsEpMI77MKgEq/bQpHUidNJM5 Whq4IP3lWH3iJ3JbiTwNUxfEltmZ0An6Q2Mda+pkfsZ8cqvSsWNqXtMfEDwWFj4x2Z9O CtaiE8Vb2bCIVzokippfZXn/4hVLyulpfxqUsXfwKxnW+6Q8omeIdhcyZYIuf/G+fJvG 2uqFI3GVPBQ3EZhgh5hArAnQwq/BEhdoeDopVtsq4XkGKuUYyBAmZsibU8LInjr/zlwG wyiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=j/PJ3od+ta7MsQquceWKfQXMbEjfJrWqqcDuj8Z3iZY=; b=tOjtgIL3QVWRiMM3VMMQeqq59OOl4mrGbhKfImvI53QNvhzuFE/aYIGZEcq5JZCyyF rgCjZnox9mQGme5I8rXKD22qN2oJfCPrH3PdV1CnfcwzQj5jMnFpnZKsmi2BbVvOhCf4 Gtes7kTVW/zhBWIaqho52D1BpHl+h/uDoGyjOhUovC4rO6D6yjQwciWgeu8D9YU6ta3b 8Rpu0tQsOoUMGggmR/6UrlKm4W+vATw1oCPu+hhHubCgP7+9kQxWm+xfsm7j5LzgjaaR 1bPHjMKZlTss44Ync1iet+YviaFv8Hg5PHNET3g8QAbbbLwkz3sMkVYM2jz+5jOh93gO 05wA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr8-20020a1709073f8800b0073d9af9347bsi3559668ejc.673.2022.08.31.02.28.08; Wed, 31 Aug 2022 02:28:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230155AbiHaJOH (ORCPT + 99 others); Wed, 31 Aug 2022 05:14:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230516AbiHaJOA (ORCPT ); Wed, 31 Aug 2022 05:14:00 -0400 Received: from fornost.hmeau.com (helcar.hmeau.com [216.24.177.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2CC7C0E4D; Wed, 31 Aug 2022 02:13:59 -0700 (PDT) Received: from gwarestrin.arnor.me.apana.org.au ([192.168.103.7]) by fornost.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1oTJnF-00H6FV-EG; Wed, 31 Aug 2022 19:13:54 +1000 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Wed, 31 Aug 2022 17:13:53 +0800 Date: Wed, 31 Aug 2022 17:13:53 +0800 From: Herbert Xu To: Khalid Masum Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com, Steffen Klassert , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel-mentees@lists.linuxfoundation.org, Shuah Khan Subject: Re: [PATCH] xfrm: Don't increase scratch users if allocation fails Message-ID: References: <00000000000092839d0581fd74ad@google.com> <20220831014126.6708-1-khalid.masum.92@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220831014126.6708-1-khalid.masum.92@gmail.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 31, 2022 at 07:41:26AM +0600, Khalid Masum wrote: > ipcomp_alloc_scratches() routine increases ipcomp_scratch_users count > even if it fails to allocate memory. Therefore, ipcomp_free_scratches() > routine, when triggered, tries to vfree() non existent percpu > ipcomp_scratches. > > To fix this breakage, do not increase scratch users count if > ipcomp_alloc_scratches() fails to allocate scratches. > > Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com > Signed-off-by: Khalid Masum > --- > net/xfrm/xfrm_ipcomp.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c > index cb40ff0ff28d..af9097983139 100644 > --- a/net/xfrm/xfrm_ipcomp.c > +++ b/net/xfrm/xfrm_ipcomp.c > @@ -210,13 +210,15 @@ static void * __percpu *ipcomp_alloc_scratches(void) > void * __percpu *scratches; > int i; > > - if (ipcomp_scratch_users++) > + if (ipcomp_scratch_users) { > + ipcomp_scratch_users++; > return ipcomp_scratches; > - > + } > scratches = alloc_percpu(void *); > if (!scratches) > return NULL; > > + ipcomp_scratch_users++; > ipcomp_scratches = scratches; This patch is broken because on error we will always call ipcomp_free_scratches which frees any partially allocated memory and restores ipcomp_scratch_users to zero. With this patch ipcomp_scratch_users will turn negative on error. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt