From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jan Engelhardt <jengelh@inai.de>,
"David S. Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.4 03/22] crypto: n2 - cure use after free
Date: Mon, 8 Jan 2018 13:59:30 +0100 [thread overview]
Message-ID: <20180108125925.755410583@linuxfoundation.org> (raw)
In-Reply-To: <20180108125925.601688333@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Engelhardt <jengelh@inai.de>
commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.
queue_cache_init is first called for the Control Word Queue
(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
kmem_cache will be allocated. If the subsequent n2_register_algs call
fails, the kmem_cache will be released in queue_cache_destroy, but
queue_cache_init[0] is not set back to NULL.
So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
queue_cache_init will not allocate a kmem_cache again, but leave it
as its bogus value, causing a BUG() to trigger when queue_cache[0] is
eventually passed to kmem_cache_zalloc:
n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
n2_crypto: Registered NCS HVAPI version 2.0
called queue_cache_init
n2_crypto: md5 alg registration failed
n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
called queue_cache_destroy
n2cp: probe of f028687c failed with error -22
n2_crypto: Found NCP at /virtual-devices@100/ncp@6
n2_crypto: Registered NCS HVAPI version 2.0
called queue_cache_init
kernel BUG at mm/slab.c:2993!
Call Trace:
[0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
(inlined) kmem_cache_zalloc
(inlined) new_queue
(inlined) spu_queue_setup
(inlined) handle_exec_unit
[0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
[0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
[000000000084b174] platform_drv_probe+0x34/0xc0
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/n2_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/crypto/n2_core.c
+++ b/drivers/crypto/n2_core.c
@@ -1641,6 +1641,7 @@ static int queue_cache_init(void)
CWQ_ENTRY_SIZE, 0, NULL);
if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
return -ENOMEM;
}
return 0;
@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void)
{
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
+ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
}
static int spu_queue_register(struct spu_queue *p, unsigned long q_type)
next prev parent reply other threads:[~2018-01-08 13:03 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 12:59 [PATCH 4.4 00/22] 4.4.111-stable review Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 01/22] x86/kasan: Write protect kasan zero shadow Greg Kroah-Hartman
2018-01-08 12:59 ` Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 02/22] kernel/acct.c: fix the acct->needcheck check in check_free_space() Greg Kroah-Hartman
2018-01-08 12:59 ` Greg Kroah-Hartman [this message]
2018-01-08 12:59 ` [PATCH 4.4 04/22] crypto: chacha20poly1305 - validate the digest size Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 05/22] crypto: pcrypt - fix freeing pcrypt instances Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 06/22] sunxi-rsb: Include OF based modalias in device uevent Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 07/22] fscache: Fix the default for fscache_maybe_release_page() Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 08/22] kernel: make groups_sort calling a responsibility group_info allocators Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 09/22] kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 10/22] kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 11/22] kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 12/22] ARC: uaccess: dont use "l" gcc inline asm constraint modifier Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 13/22] Input: elantech - add new icbody type 15 Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 14/22] x86/microcode/AMD: Add support for fam17h microcode loading Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 15/22] parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 16/22] mtd: nand: pxa3xx: Fix READOOB implementation Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 17/22] x86/tlb: Drop the _GPL from the cpu_tlbstate export Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 18/22] genksyms: Handle string literals with spaces in reference files Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 19/22] module: keep percpu symbols in modules symtab Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 20/22] module: Issue warnings when tainting kernel Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 21/22] proc: much faster /proc/vmstat Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 22/22] Map the vsyscall page with _PAGE_USER Greg Kroah-Hartman
2018-01-08 14:25 ` [PATCH 4.4 00/22] 4.4.111-stable review Nathan Chancellor
2018-01-08 14:25 ` Nathan Chancellor
2018-01-08 16:32 ` Greg Kroah-Hartman
2018-01-08 15:21 ` 王金浦
2018-01-08 16:32 ` Greg Kroah-Hartman
2018-01-08 17:29 ` Christoph Biedl
2018-01-08 17:44 ` Borislav Petkov
2018-01-08 17:47 ` kernelci.org bot
2018-01-08 21:00 ` Shuah Khan
2018-01-08 23:29 ` Guenter Roeck
2018-01-09 9:13 ` Greg Kroah-Hartman
2018-01-09 9:23 ` Greg Kroah-Hartman
2018-01-09 13:50 ` Guenter Roeck
2018-01-09 9:51 ` Naresh Kamboju
2018-01-09 10:50 ` Greg Kroah-Hartman
2018-01-09 16:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180108125925.755410583@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jengelh@inai.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.