On Thu, Apr 24, 2025 at 10:15:50PM +0200, Sabrina Dubroca wrote:
> Commit ddd0a42671c0 only increments scomp_scratch_users when it was 0,
> causing a panic when using ipcomp:
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 1 UID: 0 PID: 619 Comm: ping Tainted: G N 6.15.0-rc3-net-00032-ga79be02bba5c #41 PREEMPT(full)
> Tainted: [N]=TEST
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
> RIP: 0010:inflate_fast+0x5a2/0x1b90
> [...]
> Call Trace:
> <IRQ>
> zlib_inflate+0x2d60/0x6620
> deflate_sdecompress+0x166/0x350
> scomp_acomp_comp_decomp+0x45f/0xa10
> scomp_acomp_decompress+0x21/0x120
> acomp_do_req_chain+0x3e5/0x4e0
> ipcomp_input+0x212/0x550
> xfrm_input+0x2de2/0x72f0
> [...]
> Kernel panic - not syncing: Fatal exception in interrupt
> Kernel Offset: disabled
> ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
>
> Instead, let's keep the old increment, and decrement back to 0 if the
> scratch allocation fails.
>
> Fixes: ddd0a42671c0 ("crypto: scompress - Fix scratch allocation failure handling")
> Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
> ---
> crypto/scompress.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
