crypto: scomp - Fix wild memory accesses in scomp_free_streams

In order to use scomp_free_streams to free the partially allocted
streams in the allocation error path, move the alg->stream assignment
to the beginning.  Also check for error pointers in scomp_free_streams
before freeing the ctx.

Finally set alg->stream to NULL to not break subsequent attempts
to allocate the streams.

Fixes: 3d72ad46a23a ("crypto: acomp - Move stream management into scomp layer")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Co-developed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Co-developed-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/scompress.c b/crypto/scompress.c
index f67ce38d203d84283044740defe27fd22736ab62..5762fcc63b5158aa043c5bead4699584fabeb43c 100644 (file)
--- a/crypto/scompress.c
+++ b/crypto/scompress.c
@@ -111,13 +111,14 @@ static void scomp_free_streams(struct scomp_alg *alg)
        struct crypto_acomp_stream __percpu *stream = alg->stream;
        int i;
 
+       alg->stream = NULL;
        if (!stream)
                return;
 
        for_each_possible_cpu(i) {
                struct crypto_acomp_stream *ps = per_cpu_ptr(stream, i);
 
-               if (!ps->ctx)
+               if (IS_ERR_OR_NULL(ps->ctx))
                        break;
 
                alg->free_ctx(ps->ctx);
@@ -135,6 +136,8 @@ static int scomp_alloc_streams(struct scomp_alg *alg)
        if (!stream)
                return -ENOMEM;
 
+       alg->stream = stream;
+
        for_each_possible_cpu(i) {
                struct crypto_acomp_stream *ps = per_cpu_ptr(stream, i);
 
@@ -146,8 +149,6 @@ static int scomp_alloc_streams(struct scomp_alg *alg)
 
                spin_lock_init(&ps->lock);
        }
-
-       alg->stream = stream;
        return 0;
 }