diff mbox series

xfrm: Don't increase scratch users if allocation fails

Message ID 20220831014126.6708-1-khalid.masum.92@gmail.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series xfrm: Don't increase scratch users if allocation fails | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 17 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Khalid Masum Aug. 31, 2022, 1:41 a.m. UTC 
ipcomp_alloc_scratches() routine increases ipcomp_scratch_users count
even if it fails to allocate memory. Therefore, ipcomp_free_scratches()
routine, when triggered, tries to vfree() non existent percpu 
ipcomp_scratches.

To fix this breakage, do not increase scratch users count if
ipcomp_alloc_scratches() fails to allocate scratches.

Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>

---
 net/xfrm/xfrm_ipcomp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Herbert Xu Aug. 31, 2022, 9:13 a.m. UTC | #1 
On Wed, Aug 31, 2022 at 07:41:26AM +0600, Khalid Masum wrote:
> ipcomp_alloc_scratches() routine increases ipcomp_scratch_users count
> even if it fails to allocate memory. Therefore, ipcomp_free_scratches()
> routine, when triggered, tries to vfree() non existent percpu 
> ipcomp_scratches.
> 
> To fix this breakage, do not increase scratch users count if
> ipcomp_alloc_scratches() fails to allocate scratches.
> 
> Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
> Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
> ---
>  net/xfrm/xfrm_ipcomp.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
> index cb40ff0ff28d..af9097983139 100644
> --- a/net/xfrm/xfrm_ipcomp.c
> +++ b/net/xfrm/xfrm_ipcomp.c
> @@ -210,13 +210,15 @@ static void * __percpu *ipcomp_alloc_scratches(void)
>  	void * __percpu *scratches;
>  	int i;
>  
> -	if (ipcomp_scratch_users++)
> +	if (ipcomp_scratch_users) {
> +		ipcomp_scratch_users++;
>  		return ipcomp_scratches;
> -
> +	}
>  	scratches = alloc_percpu(void *);
>  	if (!scratches)
>  		return NULL;
>  
> +	ipcomp_scratch_users++;
>  	ipcomp_scratches = scratches;

This patch is broken because on error we will always call
ipcomp_free_scratches which frees any partially allocated memory
and restores ipcomp_scratch_users to zero.

With this patch ipcomp_scratch_users will turn negative on error.

Cheers,
Khalid Masum Aug. 31, 2022, 12:01 p.m. UTC | #2 
On 8/31/22 15:13, Herbert Xu wrote:
> On Wed, Aug 31, 2022 at 07:41:26AM +0600, Khalid Masum wrote:
>> ipcomp_alloc_scratches() routine increases ipcomp_scratch_users count
>> even if it fails to allocate memory. Therefore, ipcomp_free_scratches()
>> routine, when triggered, tries to vfree() non existent percpu
>> ipcomp_scratches.
>>
>> To fix this breakage, do not increase scratch users count if
>> ipcomp_alloc_scratches() fails to allocate scratches.
>>
>> Reported-and-tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
>> Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
>> ---
>>   net/xfrm/xfrm_ipcomp.c | 6 ++++--
>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
>> index cb40ff0ff28d..af9097983139 100644
>> --- a/net/xfrm/xfrm_ipcomp.c
>> +++ b/net/xfrm/xfrm_ipcomp.c
>> @@ -210,13 +210,15 @@ static void * __percpu *ipcomp_alloc_scratches(void)
>>   	void * __percpu *scratches;
>>   	int i;
>>   
>> -	if (ipcomp_scratch_users++)
>> +	if (ipcomp_scratch_users) {
>> +		ipcomp_scratch_users++;
>>   		return ipcomp_scratches;
>> -
>> +	}
>>   	scratches = alloc_percpu(void *);
>>   	if (!scratches)
>>   		return NULL;
>>   
>> +	ipcomp_scratch_users++;
>>   	ipcomp_scratches = scratches;
> 
> This patch is broken because on error we will always call
> ipcomp_free_scratches which frees any partially allocated memory
> and restores ipcomp_scratch_users to zero.
> 
> With this patch ipcomp_scratch_users will turn negative on error.
> 
> Cheers,

Thanks for the review. I think it can be fixed by assigning NULL in 
ipcomp_scratches when the allocation fails as ipcomp_free_scratches
checks for it. I shall follow this email with a v2 shortly.

thanks,
   -- Khalid Masum
diff mbox series

Patch

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index cb40ff0ff28d..af9097983139 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -210,13 +210,15 @@  static void * __percpu *ipcomp_alloc_scratches(void)
 	void * __percpu *scratches;
 	int i;
 
-	if (ipcomp_scratch_users++)
+	if (ipcomp_scratch_users) {
+		ipcomp_scratch_users++;
 		return ipcomp_scratches;
-
+	}
 	scratches = alloc_percpu(void *);
 	if (!scratches)
 		return NULL;
 
+	ipcomp_scratch_users++;
 	ipcomp_scratches = scratches;
 
 	for_each_possible_cpu(i) {