Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1872617pxa; Mon, 3 Aug 2020 01:00:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzFbsJV6/BAUvzyw43oEm6q4BYeoHZrhSivdYQ0rSsNQPiuoG56gxHfenGYBjzYUT0wQabB X-Received: by 2002:a17:906:3b01:: with SMTP id g1mr16209046ejf.353.1596441626110; Mon, 03 Aug 2020 01:00:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596441626; cv=none; d=google.com; s=arc-20160816; b=diaNSzHH/SJIf7iC8nOgWJtisNxdTauSof38JNZxE1LrMNDwQ7V4sKlU+6jpgtq2ro 1v2PoefxqE/N4wphEhjK2bvwzx2wYVTMVT+jnccPU+c1KiQiz/60uRi9VtsdS8hvnq4h lMBSDSxKMWqkd4YtZxCtobgw5HxbPZSMXyYfmI+B4pvcO/4W+kzlHLrZxzVYzNo+75sw /ThVnpFPUeUpOeG3kxofX1lL+xXyiiYwwRLpT9Tf2HzXMenLi3aFvUcPTXeuKjYFntdx RghgsTP7oVeusz5SlkeFuKaThWnn3FQ03fiUe1tcdUyXX0IeMrmWKQNTbxBuf5qAJxuv MNJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=RJ73qQQVPZ4+tvB/0SF7OPeYhk+dhVqLxPSJZdOrBCE=; b=c0uAPzdJy6pDgU2DkZR54GBuUGMS5F9uzERhnylTTeImJq7vfjf9YDhWKxWSmy3X/0 x8180jtGHwLmoHQs0ypmseIXp1W7fC/rnDMljwwYwuZ42gKKHFtGOuv4pqYv9v0iJnGi TxI4u0iYcI9yraGevqyf1Y+suAVmyeV5zRNmXNgE0/hHqxaqmtKJeoaLv7uqp3/66t4W JZ23rh9Vtc9KOGlKuIgJnDpiepjfK2YNZw/jUlR/kN9e4QKUgO5jaXy9bbL1v4XiXhtx xFuB0YumG+BfR6mbCcOJIspR1OS0HoJqonNG8d0p9lBbW0PhHzfBQfmLPUBiXUMr/PVx JIyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si4711627edy.176.2020.08.03.00.59.50; Mon, 03 Aug 2020 01:00:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725855AbgHCH7r (ORCPT + 99 others); Mon, 3 Aug 2020 03:59:47 -0400 Received: from mail.windriver.com ([147.11.1.11]:45602 "EHLO mail.windriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725831AbgHCH7q (ORCPT ); Mon, 3 Aug 2020 03:59:46 -0400 Received: from ALA-HCB.corp.ad.wrs.com (ala-hcb.corp.ad.wrs.com [147.11.189.41]) by mail.windriver.com (8.15.2/8.15.2) with ESMTPS id 0737xK0d029246 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 3 Aug 2020 00:59:21 -0700 (PDT) Received: from pek-lpggp3.wrs.com (128.224.153.76) by ALA-HCB.corp.ad.wrs.com (147.11.189.41) with Microsoft SMTP Server id 14.3.487.0; Mon, 3 Aug 2020 00:59:01 -0700 From: Liwei Song To: Tom Lendacky , Gary Hook , Herbert Xu , David , CC: , Subject: [PATCH] crypto: ccp - zero the cmd data after use it Date: Mon, 3 Aug 2020 15:58:58 +0800 Message-ID: <20200803075858.3561-1-liwei.song@windriver.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org exist the following assignment in ccp(ignore the force convert of the struct) by list_del in ccp_dequeue_cmd(): req->__ctx->cmd->entry->next = LIST_POISON1; after use the req, kzfree(req) can not zero the entry entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct when this address available as slub freelist pointer, this will cause the following "general protection fault" error if some process meet this LIST_POISON1 value address when request memory: general protection fault: 0000 1 PREEMPT SMP NOPTI CPU: 13 PID: 111282 Comm: msgstress03 Not tainted 5.2.45-yocto-standard #1 Hardware name: AMD Corporation Wallaby/Wallaby, BIOS WWB7713N 07/11/2017 RIP: 0010:__kmalloc_node+0x106/0x2f0 RSP: 0018:ffffaa6dd83ffdc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000033e0cd RDX: 000000000033e08d RSI: 000000000033e08d RDI: 000000000002c180 RBP: ffffaa6dd83ffe00 R08: 00000000000000d4 R09: ffff966c9dc07180 R10: dead000000000100 R11: 0000000000000000 R12: 0000000000000cc0 R13: 0000000000000100 R14: 00000000ffffffff R15: ffff966c9dc07180 FS: 00007f83bb756600(0000) GS:ffff966c9e340000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f83bb6917e0 CR3: 000000080b794000 CR4: 00000000003406e0 Call Trace: ? kvmalloc_node+0x7b/0x90 kvmalloc_node+0x7b/0x90 newque+0x32/0x1a0 ipcget+0x27a/0x2c0 ksys_msgget+0x51/0x70 __x64_sys_msgget+0x16/0x20 do_syscall_64+0x4d/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f83bb6917e7 Fix it by zero cmd struct after finished use it. Signed-off-by: Liwei Song --- drivers/crypto/ccp/ccp-dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/crypto/ccp/ccp-dev.c b/drivers/crypto/ccp/ccp-dev.c index edefa669153f..75a6418d541d 100644 --- a/drivers/crypto/ccp/ccp-dev.c +++ b/drivers/crypto/ccp/ccp-dev.c @@ -409,6 +409,7 @@ static void ccp_do_cmd_complete(unsigned long data) cmd->callback(cmd->data, cmd->ret); complete(&tdata->completion); + memset(cmd, 0, sizeof(*cmd)); } /** -- 2.17.1