Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp631630rwe; Wed, 31 Aug 2022 08:24:16 -0700 (PDT) X-Google-Smtp-Source: AA6agR5/nN8V1SXNTVUXZSIw1txJdWi7/dGC1QEt7R5p6VZXBCUY9LxzXo5dxrmvxjVM+9xOpyB2 X-Received: by 2002:a17:907:7630:b0:73d:d749:975b with SMTP id jy16-20020a170907763000b0073dd749975bmr19446729ejc.632.1661959455930; Wed, 31 Aug 2022 08:24:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661959455; cv=none; d=google.com; s=arc-20160816; b=yz7PrUWovJHOszaEkA6s6tW9TMhN5nU1lYupWq8OXD9Jt/9Z9OVMnJe7ZBWhaj7qt/ Zgq/yNhY4sF7Bg9yK6eYE0GgfyG5B8tTcwL72jE3Zb+aLu9gQ1HOQl0nfpErIMfduUSp 9L4xfaN1VH3+rolh9g0MYXMePQ15M0+mHFV0bzbCCiTIbj6UcjX6C/XXp9h+VLtlESNF X1RV+P+w8fMv7S9rxL2/rzBmYRTWeNrT2IBa6yXuJKvsurV6WcgVXJ5e46++Jm8fHVWA O70KwOshQ9gKNj37XH5tm2uuPiSAAk/Tqe61GsbR8pcMPsdYvl96i2w1EOO5E5say1br Cs3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MnDD7K45URldganONgu4aspExP7uN+YZ9AWpkwZwj/I=; b=JfNYEYjHHAgSHLncmxl7YaQnnz2aX/g7UB67wQ7W4yjFlsE4yoNQSODqAxREJ7VF8d bwqzE1jXPZFJ3/iRoAFNPHxhtf/ckJc7gKNIaKgTJbup9VPVBWjA7iez82ywoHZLt3M1 CZzYpT5PJXgiGHXzMyaIRWxdG08fcPkpLDOI50EfHIR96EwnVynOq+Ym/csHNesM+Tyj bWETX7CS6X1F/aUWsq1ZuGpsnShIgQWTqPf5TXuHRY9bYA8A9FcWCu4bK0uByxTjWP2Z oyD9xCym9ShoiBraDgNA36SGqjSET/hMBoFmQdnyc8TaPy9jjk1mVe4kZJE53jDieXq/ P3rw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pZ4xxdD1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xe4-20020a170907318400b0074133918ba1si12007445ejb.331.2022.08.31.08.23.50; Wed, 31 Aug 2022 08:24:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=pZ4xxdD1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231663AbiHaOaP (ORCPT + 99 others); Wed, 31 Aug 2022 10:30:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231312AbiHaOaF (ORCPT ); Wed, 31 Aug 2022 10:30:05 -0400 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF792A47A; Wed, 31 Aug 2022 07:29:59 -0700 (PDT) Received: by mail-qk1-x72e.google.com with SMTP id b2so10907688qkh.12; Wed, 31 Aug 2022 07:29:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=MnDD7K45URldganONgu4aspExP7uN+YZ9AWpkwZwj/I=; b=pZ4xxdD16ga83C5iRMKA6VvNnSR/dQF2+wYm7Et+bL2Fm4FF0B2D0Nyi+QhaSIqYz4 cp+IvxHenwBvJ3NhO7k2j70O4b8iXorB6pFXF5Z/LzqTWbpyvOT4v2t2ptutKdx6KnPr IzD5B4DruSxvLG3/9vXaY9qW5YxvKuvxyJWW43OXWwqln6E0dwUTcovM48N0M65Lzne5 CgHdzO/tQpW9JYe5Icvr47mfVEe+J0OLFa4HN/kOieRphqaanRzj2spMEyqehu+0u01a OGcZPwCxT64WpSb8ki2NycIKJkMUgbqPsdKEfVvMk4hxm67YIlx8Pt+DEV68jiGZzzwO zxSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=MnDD7K45URldganONgu4aspExP7uN+YZ9AWpkwZwj/I=; b=eF9YNv0sKuloAZBNtJuEGZmsbEJCoPO/YbO416eGEjSzKVwjqc4ykZgLOb3Hl7k1LA yq6gxs8bwKzyizfO1b/rEXK6/5IugtIvtTkpsZbk/68a7VS+OmcE5cs14PzyoYZvRP4N /2RiQDzfAfdFgQyMT24bcxMshMNHdhqkJbzuoxNCwb8k23MpPRitn0n/rrXhrkOdYpj/ nRUOPLf/c6fqpazHvxGnGOqu3fIsOUcz2OYJGzBR8gpM2fveSzEqYNW09s/Mo4unmCZs A1iw5PnoTZbVKHIVqD17TVffsf29pn9pIvRC3xNQPa4RMyvTHWr3OMEgNLRpI5ZBGqpp nuOg== X-Gm-Message-State: ACgBeo3R78hKcve/gMHe/JqxbEt9qfqTlaOqJa65KGB1izitxaUFAY3y BNBaJaH4GTcp2vQeoqhYL/+SGyjxXFMdmA== X-Received: by 2002:a05:620a:288b:b0:6b6:4f9b:85c6 with SMTP id j11-20020a05620a288b00b006b64f9b85c6mr15815569qkp.614.1661956198499; Wed, 31 Aug 2022 07:29:58 -0700 (PDT) Received: from fedora.. ([103.230.107.19]) by smtp.gmail.com with ESMTPSA id bm19-20020a05620a199300b006bac157ec19sm9947266qkb.123.2022.08.31.07.29.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Aug 2022 07:29:57 -0700 (PDT) From: Khalid Masum To: Herbert Xu , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Cc: Steffen Klassert , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel-mentees@lists.linuxfoundation.org, Shuah Khan , syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com, Khalid Masum Subject: [PATCH v2] xfrm: ipcomp: Update ipcomp_scratches with NULL if alloc fails Date: Wed, 31 Aug 2022 20:29:38 +0600 Message-Id: <20220831142938.5882-1-khalid.masum.92@gmail.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <00000000000092839d0581fd74ad@google.com> References: <00000000000092839d0581fd74ad@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_WEB,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently if ipcomp_alloc_scratches() fails to allocate memory ipcomp_scratches holds obsolete address. So when we try to free the percpu scratches using ipcomp_free_scratches() it tries to vfree non existent vm area. Described below: static void * __percpu *ipcomp_alloc_scratches(void) { ... scratches = alloc_percpu(void *); if (!scratches) return NULL; ipcomp_scratches does not know about this allocation failure. Therefore holding the old obsolete address. ... } So when we free, static void ipcomp_free_scratches(void) { ... scratches = ipcomp_scratches; Receiving obsolete addresses from ipcomp_scratches if (!scratches) return; for_each_possible_cpu(i) vfree(*per_cpu_ptr(scratches, i)); Trying to free non existent page, causing warning. ... } Fix this breakage by updating ipcomp_scratches with NULL if the above mentioned allocation fails. Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com Signed-off-by: Khalid Masum --- diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c index cb40ff0ff28d..17815cde8a7f 100644 --- a/net/xfrm/xfrm_ipcomp.c +++ b/net/xfrm/xfrm_ipcomp.c @@ -215,7 +215,7 @@ static void * __percpu *ipcomp_alloc_scratches(void) scratches = alloc_percpu(void *); if (!scratches) - return NULL; + return ipcomp_scratches = NULL; ipcomp_scratches = scratches;