Patch "xfrm: Update ipcomp_scratches with NULL when freed" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 22:34:28 -0400

This is a note to let you know that I've just added the patch titled

    xfrm: Update ipcomp_scratches with NULL when freed

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-update-ipcomp_scratches-with-null-when-freed.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 21ecfe6097ff8a0911a1bde8e94905d05c2640fb
Author: Khalid Masum <khalid.masum.92@xxxxxxxxx>
Date:   Thu Sep 1 13:12:10 2022 +0600

    xfrm: Update ipcomp_scratches with NULL when freed
    
    [ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ]
    
    Currently if ipcomp_alloc_scratches() fails to allocate memory
    ipcomp_scratches holds obsolete address. So when we try to free the
    percpu scratches using ipcomp_free_scratches() it tries to vfree non
    existent vm area. Described below:
    
    static void * __percpu *ipcomp_alloc_scratches(void)
    {
            ...
            scratches = alloc_percpu(void *);
            if (!scratches)
                    return NULL;
    ipcomp_scratches does not know about this allocation failure.
    Therefore holding the old obsolete address.
            ...
    }
    
    So when we free,
    
    static void ipcomp_free_scratches(void)
    {
            ...
            scratches = ipcomp_scratches;
    Assigning obsolete address from ipcomp_scratches
    
            if (!scratches)
                    return;
    
            for_each_possible_cpu(i)
                   vfree(*per_cpu_ptr(scratches, i));
    Trying to free non existent page, causing warning: trying to vfree
    existent vm area.
            ...
    }
    
    Fix this breakage by updating ipcomp_scrtches with NULL when scratches
    is freed
    
    Suggested-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
    Reported-by: syzbot+5ec9bb042ddfe9644773@xxxxxxxxxxxxxxxxxxxxxxxxx
    Tested-by: syzbot+5ec9bb042ddfe9644773@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Khalid Masum <khalid.masum.92@xxxxxxxxx>
    Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index cb40ff0ff28d..92ad336a83ab 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -203,6 +203,7 @@ static void ipcomp_free_scratches(void)
 		vfree(*per_cpu_ptr(scratches, i));
 
 	free_percpu(scratches);
+	ipcomp_scratches = NULL;
 }
 
 static void * __percpu *ipcomp_alloc_scratches(void)






