From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexey Dobriyan Subject: [PATCH] ipcomp: double free at ipcomp_destroy() Date: Sun, 14 Feb 2010 16:44:15 +0200 Message-ID: <20100214144415.GA8115@x200> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netdev@vger.kernel.org, herbert@gondor.apana.org.au To: davem@davemloft.net Return-path: Received: from fg-out-1718.google.com ([72.14.220.156]:44633 "EHLO fg-out-1718.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750819Ab0BNOo3 (ORCPT ); Sun, 14 Feb 2010 09:44:29 -0500 Received: by fg-out-1718.google.com with SMTP id 16so141595fgg.1 for ; Sun, 14 Feb 2010 06:44:27 -0800 (PST) Content-Disposition: inline Sender: netdev-owner@vger.kernel.org List-ID: Consider using ipcomp with tunnel mode: pfkey_add -> xfrm_state_init -> x->type->init_state() == ipcomp4_init_state 1. If ipcomp_tunnel_attach() fails, xfrm_state private data (x->data) are freed first time (synchronously), but stale pointer is left. 2. xfrm_state_init() failed, all right, we're going to do error unwind but this time asynchronously and we're going to double free x->data asynchronously. Fix by clearing x->data pointer, so second time it'll be fine. Note, second time can happen in quite arbitrary time, double free messages were seen in completely irrelevant functions, e. g. INFO: Allocated in icmp_sk_init INFO: Freed in icmp_sk_exit [] kfree+0xab/0x140 [] free_sect_attrs (!) [] free_module The only common thing was kmalloc-16 cache. Signed-off-by: Alexey Dobriyan --- net/xfrm/xfrm_ipcomp.c | 1 + 1 file changed, 1 insertion(+) --- a/net/xfrm/xfrm_ipcomp.c +++ b/net/xfrm/xfrm_ipcomp.c @@ -332,6 +332,7 @@ void ipcomp_destroy(struct xfrm_state *x) ipcomp_free_data(ipcd); mutex_unlock(&ipcomp_resource_mutex); kfree(ipcd); + x->data = NULL; } EXPORT_SYMBOL_GPL(ipcomp_destroy);