Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp15590pxa; Mon, 3 Aug 2020 21:05:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHFbFCFJaEn+oWrVqLn8imp2NmEThfQQe/3+6/ATAYcCj4KP1sxVrc1xZxH2TuPLSiq60A X-Received: by 2002:aa7:c513:: with SMTP id o19mr18694375edq.327.1596513927101; Mon, 03 Aug 2020 21:05:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596513927; cv=none; d=google.com; s=arc-20160816; b=T1+ILkMSzT01/KvzryIn7TxvKXUByTWgmdCF67gVtsOdreiSz8ZR8rdYeqAGWgLBDB EPNY8iTglQUF1RvI4J8QuThK2BgjZDKyw2m96IeV34YP3R/XAZh+7JNN6shAXFEltQ4Y 2GblGed0TmbZ1XNRoYCZjjGEm9fuHTeIkMloZXBcCqb+jSbh85NpnsQyxz8APLTUQT6z 4eFy+bkqjHRHNEz798HW8TfmMVz4UN+XBxn0XvnyCVRLYIzncbAneLeRdqxKhVH6rKux I3Cy6LsF+XXEodYmxL6bRgFDmanD7CKEZdDrGu4agKThP2RgOVKrfOGKHEPwuBBcL+pM pFAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=jHH1JSwt1CGkDGUGsJmWREJBLNAZeWGB9oC1vZ/qlMU=; b=nrgxWr4a+21TCP026OKMQLGa9G17g3X9kDehtChDA+WW9pHdWt5NQPKjI39nyjXXrn ENan/9ZMyP6ORH0PvlvaJYym2aCMi6nyo5K2kmyazTFdLMgJEIiVeMjR/1Yan23zvntr jiCDdqHG6b7iU1gAO4Jw8a7kWjf+uCLwN25XesptmvoNvxFB/NiOtyu+jN1pTSRxtPLy e1RiXJYwaf/FnSyVMKtiFiykBstKOElEWY7vEQgZnxQfS2LvJ8hWELTUYbuu6IDOW/KW /6d85Gcnys8AxdS6OowHvgg5vvkmgmxJlrDGpO7Buyzwu09N3h+jhAN58oT1NTr2i6VM JicQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c26si12135890edj.540.2020.08.03.21.04.55; Mon, 03 Aug 2020 21:05:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725807AbgHDEEy (ORCPT + 99 others); Tue, 4 Aug 2020 00:04:54 -0400 Received: from helcar.hmeau.com ([216.24.177.18]:54606 "EHLO fornost.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725300AbgHDEEy (ORCPT ); Tue, 4 Aug 2020 00:04:54 -0400 Received: from gwarestrin.arnor.me.apana.org.au ([192.168.0.7]) by fornost.hmeau.com with smtp (Exim 4.92 #5 (Debian)) id 1k2oBY-0007a8-9k; Tue, 04 Aug 2020 14:04:21 +1000 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Tue, 04 Aug 2020 14:04:20 +1000 Date: Tue, 4 Aug 2020 14:04:20 +1000 From: Herbert Xu To: Liwei Song Cc: Tom Lendacky , Gary Hook , David , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] crypto: ccp - zero the cmd data after use it Message-ID: <20200804040420.GA10850@gondor.apana.org.au> References: <20200803075858.3561-1-liwei.song@windriver.com> <20200803125242.GA7689@gondor.apana.org.au> <87ae939b-4983-4e96-cc3d-1aa1d1b3d3ae@windriver.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87ae939b-4983-4e96-cc3d-1aa1d1b3d3ae@windriver.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tue, Aug 04, 2020 at 11:51:47AM +0800, Liwei Song wrote: > > On 8/3/20 20:52, Herbert Xu wrote: > > On Mon, Aug 03, 2020 at 03:58:58PM +0800, Liwei Song wrote: > >> exist the following assignment in ccp(ignore the force > >> convert of the struct) by list_del in ccp_dequeue_cmd(): > >> req->__ctx->cmd->entry->next = LIST_POISON1; > >> > >> after use the req, kzfree(req) can not zero the entry > >> entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct > >> when this address available as slub freelist pointer, this will cause > >> the following "general protection fault" error if some process meet > >> this LIST_POISON1 value address when request memory: > > > > Your description makes no sense. Please rewrite it and explain > > the problem properly. > > The problem here is that the entry of struct ccp_cmd is not zeroed after we use it, > If the other process got this address by kmalloc(), this illegal value "LIST_POISON1" > will cause "general protection fault" error. If that's the case surely the other process should be zeroing the memory? Your explanation still makes no sense. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt