Re: [PATCH v3] crypto: only call put_page on referenced and used pages

Linux cryptographic layer development
 help / color / mirror / Atom feed

From: Stephan Mueller <smueller@chronox.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org
Subject: Re: [PATCH v3] crypto: only call put_page on referenced and used pages
Date: Tue, 13 Sep 2016 13:27:34 +0200	[thread overview]
Message-ID: <6581903.GBJMzZudEe@tauon.atsec.com> (raw)
In-Reply-To: <20160913100816.GA30804@gondor.apana.org.au>

Am Dienstag, 13. September 2016, 18:08:16 CEST schrieb Herbert Xu:

Hi Herbert,

> This patch appears to be papering over a real bug.
> 
> The async path should be exactly the same as the sync path, except
> that we don't wait for completion.  So the question is why are we
> getting this crash here for async but not sync?

At least one reason is found in skcipher_recvmsg_async with the following code 
path:

 if (txbufs == tx_nents) {
                        struct scatterlist *tmp;
                        int x;
                        /* Ran out of tx slots in async request
                         * need to expand */
                        tmp = kcalloc(tx_nents * 2, sizeof(*tmp),
                                      GFP_KERNEL);
                        if (!tmp)
                                goto free;

                        sg_init_table(tmp, tx_nents * 2);
                        for (x = 0; x < tx_nents; x++)
                                sg_set_page(&tmp[x], sg_page(&sreq->tsg[x]),
                                            sreq->tsg[x].length,
                                            sreq->tsg[x].offset);
                        kfree(sreq->tsg);
                        sreq->tsg = tmp;
                        tx_nents *= 2;
                        mark = true;
                }


==> the code allocates twice the amount of the previously existing memory, 
copies the existing SGs over, but does not set the remaining SGs to anything. 
If the caller provides less pages than the number of allocated SGs, some SGs 
are unset. Hence, the deallocation must not do anything with the yet 
uninitialized SGs.

Ciao
Stephan

next prev parent reply	other threads:[~2016-09-13 11:27 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-12 12:43 Memory corruption in algif_skciper AIO sendpage with multiple iocb Stephan Mueller
2016-09-13  8:18 ` [PATCH v3] crypto: only call put_page on referenced and used pages Stephan Mueller
2016-09-13 10:08   ` Herbert Xu
2016-09-13 11:27     ` Stephan Mueller [this message]
2016-11-11 14:28       ` Stephan Mueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6581903.GBJMzZudEe@tauon.atsec.com \
    --to=smueller@chronox.de \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox