Received: by 10.223.185.116 with SMTP id b49csp6341342wrg; Wed, 28 Feb 2018 07:52:35 -0800 (PST) X-Google-Smtp-Source: AH8x224GKRnRKy0zjhs5TdoI3Er44EqH7tWO+uZC9c7Kpk+AtKEp+AI6StPksiZshhOtAIUFj1k2 X-Received: by 2002:a17:902:243:: with SMTP id 61-v6mr18383472plc.202.1519833155101; Wed, 28 Feb 2018 07:52:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519833155; cv=none; d=google.com; s=arc-20160816; b=lzjgVv4KFmKmYSAP5ul6aoRbrslGZjKTka33WN6/v+GG4r6y0g1zJBGcfzXN4HGGOg 7K9Stc/p5p5wJwnu0X/xB5bcchqxd2g20HUlhG+6U/FXsBC6gA29cV34VzJOJkoi7AP5 fVgiLiCKOZ5wcoQf8YiyZ+rbuPKp07RWaUdnqjQeTYpBb3JrqA10sdmkxH2d++pi8BqD /haZmYCBfGfy+0/CsL8c5Ifz3Ewg6kztXYuc838RELW4lW1yN+ZccbpDbHYB5IP5z0bx WN5r5nHLchBS4VB/haCyrvJ9p6Axd2LDRSetrUGNVGye9vgfWjdIi18UT9j9lFuGEDim 4qKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=3kmHUTpScgCENsonuwrT42RxJbNzZScqyw16IGEYO0o=; b=PtYJtkN0Gi8zycckbVpAPP2WmVL5c/AiJLDoyL+ym0OksZPHmIlTNCoWNPNabiFh6J v7xmzerIZ7Y9IKs6ZpioRt+s+hzW/X1lLIr4RAzv43do0hAUlOwTR/JTITzxp7uYw0X/ G+s52B07QfvYMal+Y19dxYS96m62o45Z/IVEC/R1t8IRs0OC6v5m4ZuhGLKlOBc0l3/M P4Dy0Q/T0pVnGKjw3Q8/INgZqMhEQiexVmPks7Vjf9bLj8QxTftaW2ZeGnCdHM+i+a6B Yog2W8mU5WP3HfVnZgQnsWBAYMksZA4oUFrO6ApiKEoe6BT/Sd8STWRez9AEYD8Uuo9U TfNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4si1147332pgc.586.2018.02.28.07.52.20; Wed, 28 Feb 2018 07:52:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933138AbeB1PvM (ORCPT + 99 others); Wed, 28 Feb 2018 10:51:12 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34318 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752904AbeB1PuT (ORCPT ); Wed, 28 Feb 2018 10:50:19 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Ys-0006kw-G4; Wed, 28 Feb 2018 15:22:30 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yh-00009U-JM; Wed, 28 Feb 2018 15:22:19 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Herbert Xu" , "Jan Engelhardt" , "David S. Miller" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 139/254] crypto: n2 - cure use after free In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jan Engelhardt commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream. queue_cache_init is first called for the Control Word Queue (n2_crypto_probe). At that time, queue_cache[0] is NULL and a new kmem_cache will be allocated. If the subsequent n2_register_algs call fails, the kmem_cache will be released in queue_cache_destroy, but queue_cache_init[0] is not set back to NULL. So when the Module Arithmetic Unit gets probed next (n2_mau_probe), queue_cache_init will not allocate a kmem_cache again, but leave it as its bogus value, causing a BUG() to trigger when queue_cache[0] is eventually passed to kmem_cache_zalloc: n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7 n2_crypto: Registered NCS HVAPI version 2.0 called queue_cache_init n2_crypto: md5 alg registration failed n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms. called queue_cache_destroy n2cp: probe of f028687c failed with error -22 n2_crypto: Found NCP at /virtual-devices@100/ncp@6 n2_crypto: Registered NCS HVAPI version 2.0 called queue_cache_init kernel BUG at mm/slab.c:2993! Call Trace: [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0 (inlined) kmem_cache_zalloc (inlined) new_queue (inlined) spu_queue_setup (inlined) handle_exec_unit [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto] [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto] [000000000084b174] platform_drv_probe+0x34/0xc0 Signed-off-by: Jan Engelhardt Acked-by: David S. Miller Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- drivers/crypto/n2_core.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/crypto/n2_core.c +++ b/drivers/crypto/n2_core.c @@ -1644,6 +1644,7 @@ static int queue_cache_init(void) CWQ_ENTRY_SIZE, 0, NULL); if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) { kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); + queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; return -ENOMEM; } return 0; @@ -1653,6 +1654,8 @@ static void queue_cache_destroy(void) { kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]); + queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; + queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL; } static int spu_queue_register(struct spu_queue *p, unsigned long q_type)