In both aead_crypt_done and skcipher_crypt_done, edesc->bklog is
referenced after the structure pointed by edesc is freed.
Fix them by moving kfree(edesc) to the end of function call.
Signed-off-by: Zhenzhong Duan <[email protected]>
---
drivers/crypto/caam/caamalg.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index b7bb7c30adeb..6d746ef5e650 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -973,8 +973,6 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err,
aead_unmap(jrdev, edesc, req);
- kfree(edesc);
-
/*
* If no backlog flag, the completion of the request is done
* by CAAM, not crypto engine.
@@ -983,6 +981,8 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err,
aead_request_complete(req, ecode);
else
crypto_finalize_aead_request(jrp->engine, req, ecode);
+
+ kfree(edesc);
}
static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
@@ -1022,8 +1022,6 @@ static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
DUMP_PREFIX_ADDRESS, 16, 4, req->dst,
edesc->dst_nents > 1 ? 100 : req->cryptlen, 1);
- kfree(edesc);
-
/*
* If no backlog flag, the completion of the request is done
* by CAAM, not crypto engine.
@@ -1032,6 +1030,8 @@ static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
skcipher_request_complete(req, ecode);
else
crypto_finalize_skcipher_request(jrp->engine, req, ecode);
+
+ kfree(edesc);
}
/*
--
2.17.1
On 4/28/2020 8:14 AM, Zhenzhong Duan wrote:
> In both aead_crypt_done and skcipher_crypt_done, edesc->bklog is
> referenced after the structure pointed by edesc is freed.
>
> Fix them by moving kfree(edesc) to the end of function call.
>
> Signed-off-by: Zhenzhong Duan <[email protected]>
These issues were already fixed, and applied on cryptodev, by this
series: https://patchwork.kernel.org/cover/11476799/
Regards,
Iulia
> ---
> drivers/crypto/caam/caamalg.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
> index b7bb7c30adeb..6d746ef5e650 100644
> --- a/drivers/crypto/caam/caamalg.c
> +++ b/drivers/crypto/caam/caamalg.c
> @@ -973,8 +973,6 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err,
>
> aead_unmap(jrdev, edesc, req);
>
> - kfree(edesc);
> -
> /*
> * If no backlog flag, the completion of the request is done
> * by CAAM, not crypto engine.
> @@ -983,6 +981,8 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err,
> aead_request_complete(req, ecode);
> else
> crypto_finalize_aead_request(jrp->engine, req, ecode);
> +
> + kfree(edesc);
> }
>
> static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
> @@ -1022,8 +1022,6 @@ static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
> DUMP_PREFIX_ADDRESS, 16, 4, req->dst,
> edesc->dst_nents > 1 ? 100 : req->cryptlen, 1);
>
> - kfree(edesc);
> -
> /*
> * If no backlog flag, the completion of the request is done
> * by CAAM, not crypto engine.
> @@ -1032,6 +1030,8 @@ static void skcipher_crypt_done(struct device *jrdev, u32 *desc, u32 err,
> skcipher_request_complete(req, ecode);
> else
> crypto_finalize_skcipher_request(jrp->engine, req, ecode);
> +
> + kfree(edesc);
> }
>
> /*
>
On Tue, Apr 28, 2020 at 3:48 PM Iuliana Prodan <[email protected]> wrote:
>
> On 4/28/2020 8:14 AM, Zhenzhong Duan wrote:
> > In both aead_crypt_done and skcipher_crypt_done, edesc->bklog is
> > referenced after the structure pointed by edesc is freed.
> >
> > Fix them by moving kfree(edesc) to the end of function call.
> >
> > Signed-off-by: Zhenzhong Duan <[email protected]>
>
> These issues were already fixed, and applied on cryptodev, by this
> series: https://patchwork.kernel.org/cover/11476799/
I see, thanks
Zhenzhong