* [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl()
@ 2019-09-15 9:26 Yunfeng Ye
2019-09-15 9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu
0 siblings, 2 replies; 3+ messages in thread
From: Yunfeng Ye @ 2019-09-15 9:26 UTC (permalink / raw)
To: herbert, davem, john.garry, Jonathan.Cameron, mcgrof
Cc: linux-crypto, linux-kernel
There are two problems in sec_free_hw_sgl():
First, when sgl_current->next is valid, @hw_sgl will be freed in the
first loop, but it free again after the loop.
Second, sgl_current and sgl_current->next_sgl is not match when
dma_pool_free() is invoked, the third parameter should be the dma
address of sgl_current, but sgl_current->next_sgl is the dma address
of next chain, so use sgl_current->next_sgl is wrong.
Fix this by deleting the last dma_pool_free() in sec_free_hw_sgl(),
modifying the condition for while loop, and matching the address for
dma_pool_free().
Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c
index 02768af0dccd..8c789b8671fc 100644
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -215,17 +215,18 @@ static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
dma_addr_t psec_sgl, struct sec_dev_info *info)
{
struct sec_hw_sgl *sgl_current, *sgl_next;
+ dma_addr_t sgl_next_dma;
- if (!hw_sgl)
- return;
sgl_current = hw_sgl;
- while (sgl_current->next) {
+ while (sgl_current) {
sgl_next = sgl_current->next;
- dma_pool_free(info->hw_sgl_pool, sgl_current,
- sgl_current->next_sgl);
+ sgl_next_dma = sgl_current->next_sgl;
+
+ dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
+
sgl_current = sgl_next;
+ psec_sgl = sgl_next_dma;
}
- dma_pool_free(info->hw_sgl_pool, hw_sgl, psec_sgl);
}
static int sec_alg_skcipher_setkey(struct crypto_skcipher *tfm,
--
2.23.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free()
2019-09-15 9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
@ 2019-09-15 9:31 ` Yunfeng Ye
2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu
1 sibling, 0 replies; 3+ messages in thread
From: Yunfeng Ye @ 2019-09-15 9:31 UTC (permalink / raw)
To: herbert, davem, john.garry, Jonathan.Cameron, mcgrof
Cc: linux-crypto, linux-kernel
When dma_pool_zalloc() fail in sec_alloc_and_fill_hw_sgl(),
dma_pool_free() is invoked, but the parameters that sgl_current and
sgl_current->next_sgl is not match.
Using sec_free_hw_sgl() instead of the original free routine.
Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 44 +++++++++++--------------
1 file changed, 19 insertions(+), 25 deletions(-)
diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c
index 8c789b8671fc..331a682415d1 100644
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -153,6 +153,24 @@ static void sec_alg_skcipher_init_context(struct crypto_skcipher *atfm,
ctx->cipher_alg);
}
+static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
+ dma_addr_t psec_sgl, struct sec_dev_info *info)
+{
+ struct sec_hw_sgl *sgl_current, *sgl_next;
+ dma_addr_t sgl_next_dma;
+
+ sgl_current = hw_sgl;
+ while (sgl_current) {
+ sgl_next = sgl_current->next;
+ sgl_next_dma = sgl_current->next_sgl;
+
+ dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
+
+ sgl_current = sgl_next;
+ psec_sgl = sgl_next_dma;
+ }
+}
+
static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl,
dma_addr_t *psec_sgl,
struct scatterlist *sgl,
@@ -199,36 +217,12 @@ static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl,
return 0;
err_free_hw_sgls:
- sgl_current = *sec_sgl;
- while (sgl_current) {
- sgl_next = sgl_current->next;
- dma_pool_free(info->hw_sgl_pool, sgl_current,
- sgl_current->next_sgl);
- sgl_current = sgl_next;
- }
+ sec_free_hw_sgl(*sec_sgl, *psec_sgl, info);
*psec_sgl = 0;
return ret;
}
-static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
- dma_addr_t psec_sgl, struct sec_dev_info *info)
-{
- struct sec_hw_sgl *sgl_current, *sgl_next;
- dma_addr_t sgl_next_dma;
-
- sgl_current = hw_sgl;
- while (sgl_current) {
- sgl_next = sgl_current->next;
- sgl_next_dma = sgl_current->next_sgl;
-
- dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
-
- sgl_current = sgl_next;
- psec_sgl = sgl_next_dma;
- }
-}
-
static int sec_alg_skcipher_setkey(struct crypto_skcipher *tfm,
const u8 *key, unsigned int keylen,
enum sec_cipher_alg alg)
--
2.23.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl()
2019-09-15 9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
2019-09-15 9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
@ 2019-09-20 13:00 ` Herbert Xu
1 sibling, 0 replies; 3+ messages in thread
From: Herbert Xu @ 2019-09-20 13:00 UTC (permalink / raw)
To: Yunfeng Ye
Cc: davem, john.garry, Jonathan.Cameron, mcgrof, linux-crypto, linux-kernel
On Sun, Sep 15, 2019 at 05:26:56PM +0800, Yunfeng Ye wrote:
> There are two problems in sec_free_hw_sgl():
>
> First, when sgl_current->next is valid, @hw_sgl will be freed in the
> first loop, but it free again after the loop.
>
> Second, sgl_current and sgl_current->next_sgl is not match when
> dma_pool_free() is invoked, the third parameter should be the dma
> address of sgl_current, but sgl_current->next_sgl is the dma address
> of next chain, so use sgl_current->next_sgl is wrong.
>
> Fix this by deleting the last dma_pool_free() in sec_free_hw_sgl(),
> modifying the condition for while loop, and matching the address for
> dma_pool_free().
>
> Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
> Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
> ---
> drivers/crypto/hisilicon/sec/sec_algs.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
All applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-20 13:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-15 9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
2019-09-15 9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).