Linux s390 Architecture development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Harald Freudenberger" <freude@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, "Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v2 1/1] s390/pkey: Rework ioctl functions error pathes
Date: Fri, 03 Jul 2026 09:57:05 +0000	[thread overview]
Message-ID: <20260703095706.2382B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703094618.5916-2-freude@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] Passing ERR_PTR values from `_copy_key_from_user` or `_copy_apqns_from_user` to `kfree()` and `kfree_sensitive()` causes a deterministic kernel panic.
- [Critical] Accidental removal of the `ktp.pkeylen` update in `pkey_ioctl_kblob2protk3` breaks the userspace ABI.
--

Note: Due to recitation restrictions, this report does not use the standard
inline quoting format to show the modified code. Instead, I am providing a
free-form summary of the issues found in the patch.

commit 280086862168752a0b3725329891a790006a089e
Author: Harald Freudenberger <freude@linux.ibm.com>
s390/pkey: Rework ioctl functions error pathes

This commit refactors the error handling and free paths in the pkey ioctl
functions. It replaces duplicated cleanup code with centralized goto labels
to handle freeing memory and zeroing operations at the end of each function.


[Severity: Critical]
When _copy_key_from_user() or _copy_apqns_from_user() fails and returns an
ERR_PTR, does the jump to the out label cause kfree() or kfree_sensitive() 
to dereference that ERR_PTR?

In drivers/s390/crypto/pkey_api.c, several ioctl functions check for IS_ERR()
after copying from user space. If an error occurs, they assign rc and then 
execute goto out. However, at the out label, the pointer is unconditionally 
passed to the freeing functions. Passing an ERR_PTR (such as -EFAULT) to the
kfree family causes the slab allocator to attempt dereferencing an invalid 
address, resulting in a kernel panic. 

This pattern appears to be introduced across multiple functions, including
pkey_ioctl_kblob2protk(), pkey_ioctl_clr2seck2(), pkey_ioctl_verifykey2(),
pkey_ioctl_kblob2protk2(), pkey_ioctl_apqns4k(), and
pkey_ioctl_kblob2protk3().


[Severity: Critical]
Was the assignment of ktp.pkeylen intentionally removed in 
pkey_ioctl_kblob2protk3()? 

During the refactoring in drivers/s390/crypto/pkey_api.c, the line 
ktp.pkeylen = protkeylen; was dropped right before the final copy_to_user() 
call. Dropping this assignment prevents the kernel from returning the actual 
size of the derived key back to userspace. Will this break the ABI for 
applications relying on this size query?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703094618.5916-2-freude@linux.ibm.com?part=1

      reply	other threads:[~2026-07-03  9:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03  9:46 [PATCH v2 0/1] Rework pkey ioctl functions error pathes Harald Freudenberger
2026-07-03  9:46 ` [PATCH v2 1/1] s390/pkey: Rework " Harald Freudenberger
2026-07-03  9:57   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703095706.2382B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=freude@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox