linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl()
@ 2019-09-15  9:26 Yunfeng Ye
  2019-09-15  9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
  2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu
  0 siblings, 2 replies; 3+ messages in thread
From: Yunfeng Ye @ 2019-09-15  9:26 UTC (permalink / raw)
  To: herbert, davem, john.garry, Jonathan.Cameron, mcgrof
  Cc: linux-crypto, linux-kernel

There are two problems in sec_free_hw_sgl():

First, when sgl_current->next is valid, @hw_sgl will be freed in the
first loop, but it free again after the loop.

Second, sgl_current and sgl_current->next_sgl is not match when
dma_pool_free() is invoked, the third parameter should be the dma
address of sgl_current, but sgl_current->next_sgl is the dma address
of next chain, so use sgl_current->next_sgl is wrong.

Fix this by deleting the last dma_pool_free() in sec_free_hw_sgl(),
modifying the condition for while loop, and matching the address for
dma_pool_free().

Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
---
 drivers/crypto/hisilicon/sec/sec_algs.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c
index 02768af0dccd..8c789b8671fc 100644
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -215,17 +215,18 @@ static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
 			    dma_addr_t psec_sgl, struct sec_dev_info *info)
 {
 	struct sec_hw_sgl *sgl_current, *sgl_next;
+	dma_addr_t sgl_next_dma;

-	if (!hw_sgl)
-		return;
 	sgl_current = hw_sgl;
-	while (sgl_current->next) {
+	while (sgl_current) {
 		sgl_next = sgl_current->next;
-		dma_pool_free(info->hw_sgl_pool, sgl_current,
-			      sgl_current->next_sgl);
+		sgl_next_dma = sgl_current->next_sgl;
+
+		dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
+
 		sgl_current = sgl_next;
+		psec_sgl = sgl_next_dma;
 	}
-	dma_pool_free(info->hw_sgl_pool, hw_sgl, psec_sgl);
 }

 static int sec_alg_skcipher_setkey(struct crypto_skcipher *tfm,
-- 
2.23.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free()
  2019-09-15  9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
@ 2019-09-15  9:31 ` Yunfeng Ye
  2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu
  1 sibling, 0 replies; 3+ messages in thread
From: Yunfeng Ye @ 2019-09-15  9:31 UTC (permalink / raw)
  To: herbert, davem, john.garry, Jonathan.Cameron, mcgrof
  Cc: linux-crypto, linux-kernel

When dma_pool_zalloc() fail in sec_alloc_and_fill_hw_sgl(),
dma_pool_free() is invoked, but the parameters that sgl_current and
sgl_current->next_sgl is not match.

Using sec_free_hw_sgl() instead of the original free routine.

Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
---
 drivers/crypto/hisilicon/sec/sec_algs.c | 44 +++++++++++--------------
 1 file changed, 19 insertions(+), 25 deletions(-)

diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c
index 8c789b8671fc..331a682415d1 100644
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -153,6 +153,24 @@ static void sec_alg_skcipher_init_context(struct crypto_skcipher *atfm,
 				       ctx->cipher_alg);
 }

+static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
+			    dma_addr_t psec_sgl, struct sec_dev_info *info)
+{
+	struct sec_hw_sgl *sgl_current, *sgl_next;
+	dma_addr_t sgl_next_dma;
+
+	sgl_current = hw_sgl;
+	while (sgl_current) {
+		sgl_next = sgl_current->next;
+		sgl_next_dma = sgl_current->next_sgl;
+
+		dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
+
+		sgl_current = sgl_next;
+		psec_sgl = sgl_next_dma;
+	}
+}
+
 static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl,
 				     dma_addr_t *psec_sgl,
 				     struct scatterlist *sgl,
@@ -199,36 +217,12 @@ static int sec_alloc_and_fill_hw_sgl(struct sec_hw_sgl **sec_sgl,
 	return 0;

 err_free_hw_sgls:
-	sgl_current = *sec_sgl;
-	while (sgl_current) {
-		sgl_next = sgl_current->next;
-		dma_pool_free(info->hw_sgl_pool, sgl_current,
-			      sgl_current->next_sgl);
-		sgl_current = sgl_next;
-	}
+	sec_free_hw_sgl(*sec_sgl, *psec_sgl, info);
 	*psec_sgl = 0;

 	return ret;
 }

-static void sec_free_hw_sgl(struct sec_hw_sgl *hw_sgl,
-			    dma_addr_t psec_sgl, struct sec_dev_info *info)
-{
-	struct sec_hw_sgl *sgl_current, *sgl_next;
-	dma_addr_t sgl_next_dma;
-
-	sgl_current = hw_sgl;
-	while (sgl_current) {
-		sgl_next = sgl_current->next;
-		sgl_next_dma = sgl_current->next_sgl;
-
-		dma_pool_free(info->hw_sgl_pool, sgl_current, psec_sgl);
-
-		sgl_current = sgl_next;
-		psec_sgl = sgl_next_dma;
-	}
-}
-
 static int sec_alg_skcipher_setkey(struct crypto_skcipher *tfm,
 				   const u8 *key, unsigned int keylen,
 				   enum sec_cipher_alg alg)
-- 
2.23.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl()
  2019-09-15  9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
  2019-09-15  9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
@ 2019-09-20 13:00 ` Herbert Xu
  1 sibling, 0 replies; 3+ messages in thread
From: Herbert Xu @ 2019-09-20 13:00 UTC (permalink / raw)
  To: Yunfeng Ye
  Cc: davem, john.garry, Jonathan.Cameron, mcgrof, linux-crypto, linux-kernel

On Sun, Sep 15, 2019 at 05:26:56PM +0800, Yunfeng Ye wrote:
> There are two problems in sec_free_hw_sgl():
> 
> First, when sgl_current->next is valid, @hw_sgl will be freed in the
> first loop, but it free again after the loop.
> 
> Second, sgl_current and sgl_current->next_sgl is not match when
> dma_pool_free() is invoked, the third parameter should be the dma
> address of sgl_current, but sgl_current->next_sgl is the dma address
> of next chain, so use sgl_current->next_sgl is wrong.
> 
> Fix this by deleting the last dma_pool_free() in sec_free_hw_sgl(),
> modifying the condition for while loop, and matching the address for
> dma_pool_free().
> 
> Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
> Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
> ---
>  drivers/crypto/hisilicon/sec/sec_algs.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)

All applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-20 13:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-15  9:26 [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Yunfeng Ye
2019-09-15  9:31 ` [PATCH 2/2] crypto: hisilicon - Matching the dma address for dma_pool_free() Yunfeng Ye
2019-09-20 13:00 ` [PATCH 1/2] crypto: hisilicon - Fix double free in sec_free_hw_sgl() Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).