linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
@ 2020-03-05  8:57 yangerkun
  2020-03-06 13:39 ` Sasha Levin
  0 siblings, 1 reply; 6+ messages in thread
From: yangerkun @ 2020-03-05  8:57 UTC (permalink / raw)
  To: gregkh, herbert; +Cc: stable, linux-crypto, yangerkun

Nowdays, we trigger a oops:
...
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP KASAN
...
Call Trace:
 [<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400 x86/../crypto/algif_skcipher.c:543
 [<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0 x86/../crypto/algif_skcipher.c:723
 [<ffffffff823e43a4>] sock_recvmsg_nosec x86/../net/socket.c:702 [inline]
 [<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
 [<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
 [<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
 [<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
 [<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
 [<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
 [<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
 [<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
 [<ffffffff828b33c3>] tracesys_phase2+0x90/0x95

In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.

This function was introduced with ' commit a596999b7ddf ("crypto:
algif - change algif_skcipher to be asynchronous")', and has been removed
with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
management")'.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
 crypto/algif_skcipher.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

v1->v2:
update the commit message

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index d12782dc9683..9bd4691cc5c5 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
 	lock_sock(sk);
 	tx_nents = skcipher_all_sg_nents(ctx);
 	sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
-	if (unlikely(!sreq->tsg))
+	if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
 		goto unlock;
 	sg_init_table(sreq->tsg, tx_nents);
 	memcpy(iv, ctx->iv, ivsize);
-- 
2.17.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-05  8:57 [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
@ 2020-03-06 13:39 ` Sasha Levin
  2020-03-07  1:49   ` yangerkun
  0 siblings, 1 reply; 6+ messages in thread
From: Sasha Levin @ 2020-03-06 13:39 UTC (permalink / raw)
  To: yangerkun; +Cc: gregkh, herbert, stable, linux-crypto

On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote:
>Nowdays, we trigger a oops:
>...
>kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP KASAN
>...
>Call Trace:
> [<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400 x86/../crypto/algif_skcipher.c:543
> [<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0 x86/../crypto/algif_skcipher.c:723
> [<ffffffff823e43a4>] sock_recvmsg_nosec x86/../net/socket.c:702 [inline]
> [<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
> [<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
> [<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
> [<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
> [<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
> [<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
> [<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
> [<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
> [<ffffffff828b33c3>] tracesys_phase2+0x90/0x95
>
>In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
>calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
>the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR.
>
>This function was introduced with ' commit a596999b7ddf ("crypto:
>algif - change algif_skcipher to be asynchronous")', and has been removed
>with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
>management")'.
>
>Reported-by: Hulk Robot <hulkci@huawei.com>
>Signed-off-by: yangerkun <yangerkun@huawei.com>
>---
> crypto/algif_skcipher.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>v1->v2:
>update the commit message
>
>diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
>index d12782dc9683..9bd4691cc5c5 100644
>--- a/crypto/algif_skcipher.c
>+++ b/crypto/algif_skcipher.c
>@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg,
> 	lock_sock(sk);
> 	tx_nents = skcipher_all_sg_nents(ctx);
> 	sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
>-	if (unlikely(!sreq->tsg))
>+	if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))

I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations
that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is
guaranteed to be more than 0, no?

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-06 13:39 ` Sasha Levin
@ 2020-03-07  1:49   ` yangerkun
  2020-03-08  0:19     ` Sasha Levin
  0 siblings, 1 reply; 6+ messages in thread
From: yangerkun @ 2020-03-07  1:49 UTC (permalink / raw)
  To: Sasha Levin; +Cc: gregkh, herbert, stable, linux-crypto, yangerkun



On 2020/3/6 21:39, Sasha Levin wrote:
> On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote:
>> Nowdays, we trigger a oops:
>> ...
>> kasan: GPF could be caused by NULL-ptr deref or user memory 
>> accessgeneral protection fault: 0000 [#1] SMP KASAN
>> ...
>> Call Trace:
>> [<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400 
>> x86/../crypto/algif_skcipher.c:543
>> [<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0 
>> x86/../crypto/algif_skcipher.c:723
>> [<ffffffff823e43a4>] sock_recvmsg_nosec x86/../net/socket.c:702 [inline]
>> [<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
>> [<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
>> [<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
>> [<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
>> [<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
>> [<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
>> [<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
>> [<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
>> [<ffffffff828b33c3>] tracesys_phase2+0x90/0x95
>>
>> In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
>> calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
>> the latter sg_init_table will trigger the bug. Fix it be use 
>> ZERO_OF_NULL_PTR.
>>
>> This function was introduced with ' commit a596999b7ddf ("crypto:
>> algif - change algif_skcipher to be asynchronous")', and has been removed
>> with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
>> management")'.
>>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Signed-off-by: yangerkun <yangerkun@huawei.com>
>> ---
>> crypto/algif_skcipher.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> v1->v2:
>> update the commit message
>>
>> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
>> index d12782dc9683..9bd4691cc5c5 100644
>> --- a/crypto/algif_skcipher.c
>> +++ b/crypto/algif_skcipher.c
>> @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket 
>> *sock, struct msghdr *msg,
>>     lock_sock(sk);
>>     tx_nents = skcipher_all_sg_nents(ctx);
>>     sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
>> -    if (unlikely(!sreq->tsg))
>> +    if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
> 
> I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations
> that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is
> guaranteed to be more than 0, no?

Actually, the size need to calloc is (tx_nents * sizeof(*sg)), and 
tx_nents is 0.

> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-07  1:49   ` yangerkun
@ 2020-03-08  0:19     ` Sasha Levin
  2020-03-09  1:27       ` yangerkun
  0 siblings, 1 reply; 6+ messages in thread
From: Sasha Levin @ 2020-03-08  0:19 UTC (permalink / raw)
  To: yangerkun; +Cc: gregkh, herbert, stable, linux-crypto

On Sat, Mar 07, 2020 at 09:49:25AM +0800, yangerkun wrote:
>
>
>On 2020/3/6 21:39, Sasha Levin wrote:
>>On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote:
>>>Nowdays, we trigger a oops:
>>>...
>>>kasan: GPF could be caused by NULL-ptr deref or user memory 
>>>accessgeneral protection fault: 0000 [#1] SMP KASAN
>>>...
>>>Call Trace:
>>>[<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400 
>>>x86/../crypto/algif_skcipher.c:543
>>>[<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0 
>>>x86/../crypto/algif_skcipher.c:723
>>>[<ffffffff823e43a4>] sock_recvmsg_nosec x86/../net/socket.c:702 [inline]
>>>[<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
>>>[<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
>>>[<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
>>>[<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
>>>[<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
>>>[<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
>>>[<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
>>>[<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
>>>[<ffffffff828b33c3>] tracesys_phase2+0x90/0x95
>>>
>>>In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
>>>calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
>>>the latter sg_init_table will trigger the bug. Fix it be use 
>>>ZERO_OF_NULL_PTR.
>>>
>>>This function was introduced with ' commit a596999b7ddf ("crypto:
>>>algif - change algif_skcipher to be asynchronous")', and has been removed
>>>with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
>>>management")'.
>>>
>>>Reported-by: Hulk Robot <hulkci@huawei.com>
>>>Signed-off-by: yangerkun <yangerkun@huawei.com>
>>>---
>>>crypto/algif_skcipher.c | 2 +-
>>>1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>>v1->v2:
>>>update the commit message
>>>
>>>diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
>>>index d12782dc9683..9bd4691cc5c5 100644
>>>--- a/crypto/algif_skcipher.c
>>>+++ b/crypto/algif_skcipher.c
>>>@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct 
>>>socket *sock, struct msghdr *msg,
>>>    lock_sock(sk);
>>>    tx_nents = skcipher_all_sg_nents(ctx);
>>>    sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
>>>-    if (unlikely(!sreq->tsg))
>>>+    if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
>>
>>I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations
>>that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is
>>guaranteed to be more than 0, no?
>
>Actually, the size need to calloc is (tx_nents * sizeof(*sg)), and 
>tx_nents is 0.

Makes sense. This is also needed on 4.9, right?

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-08  0:19     ` Sasha Levin
@ 2020-03-09  1:27       ` yangerkun
  2020-03-10 12:14         ` Greg KH
  0 siblings, 1 reply; 6+ messages in thread
From: yangerkun @ 2020-03-09  1:27 UTC (permalink / raw)
  To: Sasha Levin; +Cc: gregkh, herbert, stable, linux-crypto



On 2020/3/8 8:19, Sasha Levin wrote:
> On Sat, Mar 07, 2020 at 09:49:25AM +0800, yangerkun wrote:
>>
>>
>> On 2020/3/6 21:39, Sasha Levin wrote:
>>> On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote:
>>>> Nowdays, we trigger a oops:
>>>> ...
>>>> kasan: GPF could be caused by NULL-ptr deref or user memory 
>>>> accessgeneral protection fault: 0000 [#1] SMP KASAN
>>>> ...
>>>> Call Trace:
>>>> [<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400 
>>>> x86/../crypto/algif_skcipher.c:543
>>>> [<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0 
>>>> x86/../crypto/algif_skcipher.c:723
>>>> [<ffffffff823e43a4>] sock_recvmsg_nosec x86/../net/socket.c:702 
>>>> [inline]
>>>> [<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
>>>> [<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
>>>> [<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
>>>> [<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
>>>> [<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
>>>> [<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
>>>> [<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
>>>> [<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
>>>> [<ffffffff828b33c3>] tracesys_phase2+0x90/0x95
>>>>
>>>> In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
>>>> calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
>>>> the latter sg_init_table will trigger the bug. Fix it be use 
>>>> ZERO_OF_NULL_PTR.
>>>>
>>>> This function was introduced with ' commit a596999b7ddf ("crypto:
>>>> algif - change algif_skcipher to be asynchronous")', and has been 
>>>> removed
>>>> with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
>>>> management")'.
>>>>
>>>> Reported-by: Hulk Robot <hulkci@huawei.com>
>>>> Signed-off-by: yangerkun <yangerkun@huawei.com>
>>>> ---
>>>> crypto/algif_skcipher.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> v1->v2:
>>>> update the commit message
>>>>
>>>> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
>>>> index d12782dc9683..9bd4691cc5c5 100644
>>>> --- a/crypto/algif_skcipher.c
>>>> +++ b/crypto/algif_skcipher.c
>>>> @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket 
>>>> *sock, struct msghdr *msg,
>>>>     lock_sock(sk);
>>>>     tx_nents = skcipher_all_sg_nents(ctx);
>>>>     sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
>>>> -    if (unlikely(!sreq->tsg))
>>>> +    if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
>>>
>>> I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations
>>> that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is
>>> guaranteed to be more than 0, no?
>>
>> Actually, the size need to calloc is (tx_nents * sizeof(*sg)), and 
>> tx_nents is 0.
> 
> Makes sense. This is also needed on 4.9, right?

Yes! Thanks for checking it!
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async
  2020-03-09  1:27       ` yangerkun
@ 2020-03-10 12:14         ` Greg KH
  0 siblings, 0 replies; 6+ messages in thread
From: Greg KH @ 2020-03-10 12:14 UTC (permalink / raw)
  To: yangerkun; +Cc: Sasha Levin, herbert, stable, linux-crypto

On Mon, Mar 09, 2020 at 09:27:16AM +0800, yangerkun wrote:
> 
> 
> On 2020/3/8 8:19, Sasha Levin wrote:
> > On Sat, Mar 07, 2020 at 09:49:25AM +0800, yangerkun wrote:
> > > 
> > > 
> > > On 2020/3/6 21:39, Sasha Levin wrote:
> > > > On Thu, Mar 05, 2020 at 04:57:55PM +0800, yangerkun wrote:
> > > > > Nowdays, we trigger a oops:
> > > > > ...
> > > > > kasan: GPF could be caused by NULL-ptr deref or user memory
> > > > > accessgeneral protection fault: 0000 [#1] SMP KASAN
> > > > > ...
> > > > > Call Trace:
> > > > > [<ffffffff81a26fb1>] skcipher_recvmsg_async+0x3f1/0x1400
> > > > > x86/../crypto/algif_skcipher.c:543
> > > > > [<ffffffff81a28053>] skcipher_recvmsg+0x93/0x7f0
> > > > > x86/../crypto/algif_skcipher.c:723
> > > > > [<ffffffff823e43a4>] sock_recvmsg_nosec
> > > > > x86/../net/socket.c:702 [inline]
> > > > > [<ffffffff823e43a4>] sock_recvmsg x86/../net/socket.c:710 [inline]
> > > > > [<ffffffff823e43a4>] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705
> > > > > [<ffffffff823e464b>] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787
> > > > > [<ffffffff817f479b>] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520
> > > > > [<ffffffff817f57c9>] io_submit_one x86/../fs/aio.c:1630 [inline]
> > > > > [<ffffffff817f57c9>] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688
> > > > > [<ffffffff817f902d>] SYSC_io_submit x86/../fs/aio.c:1713 [inline]
> > > > > [<ffffffff817f902d>] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710
> > > > > [<ffffffff828b33c3>] tracesys_phase2+0x90/0x95
> > > > > 
> > > > > In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we
> > > > > calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this,
> > > > > the latter sg_init_table will trigger the bug. Fix it be use
> > > > > ZERO_OF_NULL_PTR.
> > > > > 
> > > > > This function was introduced with ' commit a596999b7ddf ("crypto:
> > > > > algif - change algif_skcipher to be asynchronous")', and has
> > > > > been removed
> > > > > with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory
> > > > > management")'.
> > > > > 
> > > > > Reported-by: Hulk Robot <hulkci@huawei.com>
> > > > > Signed-off-by: yangerkun <yangerkun@huawei.com>
> > > > > ---
> > > > > crypto/algif_skcipher.c | 2 +-
> > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > 
> > > > > v1->v2:
> > > > > update the commit message
> > > > > 
> > > > > diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> > > > > index d12782dc9683..9bd4691cc5c5 100644
> > > > > --- a/crypto/algif_skcipher.c
> > > > > +++ b/crypto/algif_skcipher.c
> > > > > @@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct
> > > > > socket *sock, struct msghdr *msg,
> > > > >     lock_sock(sk);
> > > > >     tx_nents = skcipher_all_sg_nents(ctx);
> > > > >     sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL);
> > > > > -    if (unlikely(!sreq->tsg))
> > > > > +    if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg)))
> > > > 
> > > > I'm a bit confused: kcalloc() will return ZERO_SIZE_PTR for allocations
> > > > that ask for 0 bytes, but here we ask for "sizeof(*sg)" bytes, which is
> > > > guaranteed to be more than 0, no?
> > > 
> > > Actually, the size need to calloc is (tx_nents * sizeof(*sg)), and
> > > tx_nents is 0.
> > 
> > Makes sense. This is also needed on 4.9, right?
> 
> Yes! Thanks for checking it!

Now queued up,t hanks.

greg k-h

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-03-10 12:14 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05  8:57 [PATCH 4.4.y v2] crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async yangerkun
2020-03-06 13:39 ` Sasha Levin
2020-03-07  1:49   ` yangerkun
2020-03-08  0:19     ` Sasha Levin
2020-03-09  1:27       ` yangerkun
2020-03-10 12:14         ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).