Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp769840pxp;
        Fri, 11 Mar 2022 14:39:26 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzY3X/GK2zYbZHk9YqfGeeARNHZ6NbNVxEQA/YsVWs4T8EJpBpN8PU9Ec7D4CqvQQGo0Y+w
X-Received: by 2002:a17:902:cf12:b0:14f:e0c2:1515 with SMTP id i18-20020a170902cf1200b0014fe0c21515mr12871121plg.4.1647038366229;
        Fri, 11 Mar 2022 14:39:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1647038366; cv=none;
        d=google.com; s=arc-20160816;
        b=EZ8e/wMJEQuJiNlCkOXhwbuqadsaad68TSvWJa40rkXGki1lMGxbD6L4TDO4M5l9br
         QNQKmXUjBV9CQNaH/GQm3IDqeoKRXDND8gisCcuS2MpqqfcPVWLZAlPfcl4VnJx+G8HX
         uWMCe6WgT2IEA+FGcCxKEqbP93k23KkPpdOBLkXUk+UdHmS27QcdlXYOGCPVBlM5BxdJ
         gwn7bEruhSncoaaZGyJSU7WEwhqWRtyCnwrEqrvR9w2kD8B05IgU6/d1CzRwAQbItpnh
         gVd0SZyFnqaCJfMMfNTXuFDTP0+Jr+2/5qUoJTm8k7xeck+P608Yx9qafgV7NqEpQ28Y
         Yotw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=pfHBOqiRS57JicD8pjipXgh0ryWc5BwW1TaeORBdFPo=;
        b=suSdosSbyTgZqkCzbcPSuIMRa9JnFqBJSdGEeGeWAg1XTTJ10hqBjfy5il3t9iwuyq
         pRBzIBWg44DL2PYyw3hQEu6KYNORTgTnlajVxNp5izKaxsDuTFbtkpFM/MiZGSWggERf
         XRRPd6IzI83QCJjKKopY4QJo8TWl6/ZmdQGuS0Gk7k0xlY+YL8xHlr5xpqq6pWoPeYHy
         dkIH7+D2CGmBw98lGmiN/UqtTzhYxiigyNCOkKjrcxI66juhq/2RNUnumSQqdtWprgGx
         cJ5WohdcRGaZjHa33LMDbA49gQ7lku33ITyYjJGHTa9/bE4ykywbg6ylvzledGiIu0lv
         YzKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=renesas.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id q7-20020a656a87000000b00378d9d69e5csi10164892pgu.655.2022.03.11.14.39.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Mar 2022 14:39:26 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=renesas.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id DA8552C149B;
	Fri, 11 Mar 2022 13:45:18 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229531AbiCKIUw (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Fri, 11 Mar 2022 03:20:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51708 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235475AbiCKIUu (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 11 Mar 2022 03:20:50 -0500
Received: from relmlie6.idc.renesas.com (relmlor2.renesas.com [210.160.252.172])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 477401B8FCE;
        Fri, 11 Mar 2022 00:19:47 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.90,173,1643641200"; 
   d="scan'208";a="114077949"
Received: from unknown (HELO relmlir6.idc.renesas.com) ([10.200.68.152])
  by relmlie6.idc.renesas.com with ESMTP; 11 Mar 2022 17:19:46 +0900
Received: from localhost.localdomain (unknown [10.166.15.32])
        by relmlir6.idc.renesas.com (Postfix) with ESMTP id 1B9B5420A724;
        Fri, 11 Mar 2022 17:19:46 +0900 (JST)
From:   Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
To:     gilad@benyossef.com
Cc:     herbert@gondor.apana.org.au, davem@davemloft.net,
        linux-crypto@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
        Dung Nguyen <dung.nguyen.zy@renesas.com>,
        Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Subject: [RFC/PATCH] crypto: ccree - fix a race of enqueue_seq() in send_request_init()
Date:   Fri, 11 Mar 2022 17:19:09 +0900
Message-Id: <20220311081909.1661934-1-yoshihiro.shimoda.uh@renesas.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

From: Dung Nguyen <dung.nguyen.zy@renesas.com>

When loading ccree.ko, after registering cipher algorithm at
cc_cipher_alloc() and cc_hash_alloc() -> send_request_init() ->
enqueue_seq() has called to pushing descriptor into HW.

On other hand, if another thread have called to encrypt/decrypt
cipher (cc_cipher_encrypt/decrypt) -> cc_send_request() ->
cc_do_send_request() -> enqueue_seq() while send_request_init()
is running, the thread also has called to pushing descriptor into HW.
And then, it's possible to overwrite data.

The cc_do_send_request() locks mgr->hw_lock, but send_request_init()
doesn't lock mgr->hw_lock before enqueue_seq() is called. So,
send_request_init() should lock mgr->hw_lock before enqueue_seq() is
called.

This issue is possible to cause the following way in rare cases:
- CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=n
- insmod ccree.ko & insmod tcrypt.ko

Signed-off-by: Dung Nguyen <dung.nguyen.zy@renesas.com>
[shimoda: revise the subject/description]
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
 I believe we should fix this race. But, as I wrote the desciption
 above, there is in rare cases. So, I marked this patch as RFC.

 drivers/crypto/ccree/cc_request_mgr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/crypto/ccree/cc_request_mgr.c b/drivers/crypto/ccree/cc_request_mgr.c
index 887162df50f9..eef40022258b 100644
--- a/drivers/crypto/ccree/cc_request_mgr.c
+++ b/drivers/crypto/ccree/cc_request_mgr.c
@@ -513,6 +513,7 @@ int send_request_init(struct cc_drvdata *drvdata, struct cc_hw_desc *desc,
 
 	set_queue_last_ind(drvdata, &desc[(len - 1)]);
 
+	spin_lock_bh(&req_mgr_h->hw_lock);
 	/*
 	 * We are about to push command to the HW via the command registers
 	 * that may reference host memory. We need to issue a memory barrier
@@ -520,6 +521,7 @@ int send_request_init(struct cc_drvdata *drvdata, struct cc_hw_desc *desc,
 	 */
 	wmb();
 	enqueue_seq(drvdata, desc, len);
+	spin_unlock_bh(&req_mgr_h->hw_lock);
 
 	/* Update the free slots in HW queue */
 	req_mgr_h->q_free_slots =
-- 
2.25.1