Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2956558imu; Mon, 19 Nov 2018 08:36:01 -0800 (PST) X-Google-Smtp-Source: AJdET5cpzkyALBxMuvU0u1kYma6hcTwpZpIsUEw1o5Zjy0/4gr7tmdxLoCCsFUT5LTN98xVpyG7t X-Received: by 2002:a62:dbc2:: with SMTP id f185mr11956897pfg.235.1542645361047; Mon, 19 Nov 2018 08:36:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542645361; cv=none; d=google.com; s=arc-20160816; b=BaBTwx/upEd667beuPNz9DWMVrgtrMfZwA/GYOJ623i6TtQR1xoachphwVCMr883Kd 3ivmqRGt8VVKEyfDGWkexQZdDPy6DRhXvlfn28s0HM1TSZxzbF1wvihjLRHVnq//jwgF dkSjWrztcABa3Sgw4Gmw3qnUj6/JCnrUt13ha3hm69XIQL7YDAw7q69U3D9wJjOyXnd0 eksiepsfqyxdDFxwgx3bf3IbOb3xkOaGFF8Bhzb9SzXIMflfHI5tOoapyO0A1BrivRGy T6ZOZVm+dj81ZMMRxjNR6biUlNxGElfOxWLhLPNtI4iZEFfSitHHwz4fPFOYSP4lo79W JZmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JJAz5YcxMxy0IyoibMaTnbC3uU0CZFNN8m+KUHJB5Zc=; b=FbyW6bJt/etffWxcWFCNVk5JYPtUJoiWnl7iocCRyRHHwqkTM0ec0eCcPZ4E4kBfbP ZGi7YJmBKpmv1OkX63qnAS0g0BqvWht2928iuhp7d6Z/cCL1C1K2+4wt6Sxak5Pd72ri Xwmb3Svtnj/SVj+FpxP1vESQL3aDiOQ3E+KzfDvnh2VBmA7aUYtnODGCLU0JMQDRo0lu XFvMIIX3bPdc/kbl9yChes+H16lrSdAfzyD/3XpyLbgOw+1Lh7p4M+HNpdxTG4GoDC0/ gLaqDaKay2YjssJAYdtjPmS/Yk3B5aAW5SonMShogX33ocRW8OtBUsq4hbB+pHjiSkW0 f/4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YcJYJ0TG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x2si30009056pgi.152.2018.11.19.08.35.39; Mon, 19 Nov 2018 08:36:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YcJYJ0TG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731365AbeKTC61 (ORCPT + 99 others); Mon, 19 Nov 2018 21:58:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:57508 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729995AbeKTC60 (ORCPT ); Mon, 19 Nov 2018 21:58:26 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1DE8721104; Mon, 19 Nov 2018 16:34:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542645258; bh=pg0wOZ2O93KrWKnGL8ZFgKfUpRoNO7kGc4Ez2xsFUDg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YcJYJ0TGHODIYKM0bVa616J5KqVbLeHfWSkp9QNWpU8Bn10co7W/NWwpx67I+0h4p gNLkkuWV0Pv53/LIAp/k9znlo8ta/rAH5Uf0Q8hvqlPwHsf9ntyJPBrjfDuReqtqyC 1yAAjD+/iI7KF9E/DaViHjfXUCgdv3UAR1smEwko= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathan Cameron , John Garry , Herbert Xu Subject: [PATCH 4.19 095/205] crypto: hisilicon - Fix reference after free of memories on error path Date: Mon, 19 Nov 2018 17:26:42 +0100 Message-Id: <20181119162632.718350821@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162616.586062722@linuxfoundation.org> References: <20181119162616.586062722@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Garry commit 0b0cf6af3f3151c26c27e8e51def5527091c3e69 upstream. coccicheck currently warns of the following issues in the driver: drivers/crypto/hisilicon/sec/sec_algs.c:864:51-66: ERROR: reference preceded by free on line 812 drivers/crypto/hisilicon/sec/sec_algs.c:864:40-49: ERROR: reference preceded by free on line 813 drivers/crypto/hisilicon/sec/sec_algs.c:861:8-24: ERROR: reference preceded by free on line 814 drivers/crypto/hisilicon/sec/sec_algs.c:860:41-51: ERROR: reference preceded by free on line 815 drivers/crypto/hisilicon/sec/sec_algs.c:867:7-18: ERROR: reference preceded by free on line 816 It would appear than on certain error paths that we may attempt reference- after-free some memories. This patch fixes those issues. The solution doesn't look perfect, but having same memories free'd possibly from separate functions makes it tricky. Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") Reviewed-by: Jonathan Cameron Cc: Signed-off-by: John Garry Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/hisilicon/sec/sec_algs.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) --- a/drivers/crypto/hisilicon/sec/sec_algs.c +++ b/drivers/crypto/hisilicon/sec/sec_algs.c @@ -808,13 +808,6 @@ static int sec_alg_skcipher_crypto(struc * more refined but this is unlikely to happen so no need. */ - /* Cleanup - all elements in pointer arrays have been coppied */ - kfree(splits_in_nents); - kfree(splits_in); - kfree(splits_out_nents); - kfree(splits_out); - kfree(split_sizes); - /* Grab a big lock for a long time to avoid concurrency issues */ mutex_lock(&queue->queuelock); @@ -829,13 +822,13 @@ static int sec_alg_skcipher_crypto(struc (!queue->havesoftqueue || kfifo_avail(&queue->softqueue) > steps)) || !list_empty(&ctx->backlog)) { + ret = -EBUSY; if ((skreq->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)) { list_add_tail(&sec_req->backlog_head, &ctx->backlog); mutex_unlock(&queue->queuelock); - return -EBUSY; + goto out; } - ret = -EBUSY; mutex_unlock(&queue->queuelock); goto err_free_elements; } @@ -844,7 +837,15 @@ static int sec_alg_skcipher_crypto(struc if (ret) goto err_free_elements; - return -EINPROGRESS; + ret = -EINPROGRESS; +out: + /* Cleanup - all elements in pointer arrays have been copied */ + kfree(splits_in_nents); + kfree(splits_in); + kfree(splits_out_nents); + kfree(splits_out); + kfree(split_sizes); + return ret; err_free_elements: list_for_each_entry_safe(el, temp, &sec_req->elements, head) {