Patch "crypto: algif_skcipher - only call put_page on referenced and used pages" has been added to the 4.4-stable tree

Patch "crypto: algif_skcipher - only call put_page on referenced and used pages" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    crypto: algif_skcipher - only call put_page on referenced and used pages

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Wed, 16 Aug 2017 11:56:24 +0200
Subject: crypto: algif_skcipher - only call put_page on referenced and used pages

From: Stephan Mueller <smueller@chronox.de>

commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.

For asynchronous operation, SGs are allocated without a page mapped to
them or with a page that is not used (ref-counted). If the SGL is freed,
the code must only call put_page for an SG if there was a page assigned
and ref-counted in the first place.

This fixes a kernel crash when using io_submit with more than one iocb
using the sendmsg and sendpage (vmsplice/splice) interface.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/algif_skcipher.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str
 	}
 	sgl = sreq->tsg;
 	n = sg_nents(sgl);
-	for_each_sg(sgl, sg, n, i)
-		put_page(sg_page(sg));
+	for_each_sg(sgl, sg, n, i) {
+		struct page *page = sg_page(sg);
+
+		/* some SGs may not have a page mapped */
+		if (page && page_ref_count(page))
+			put_page(page);
+	}
 
 	kfree(sreq->tsg);
 }


Patches currently in stable-queue which might be from smueller@chronox.de are

queue-4.4/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch

Re: Patch "crypto: algif_skcipher - only call put_page on referenced and used pages" has been added to the 4.4-stable tree

[Greg KH]

On Mon, Sep 04, 2017 at 11:44:06AM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     crypto: algif_skcipher - only call put_page on referenced and used pages
> 
> to the 4.4-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

Nope, this broke the build, sorry.  If you want it in 4.4-stable, please
provide a backported patch.

thanks,

greg k-h

Patch "crypto: algif_skcipher - only call put_page on referenced and used pages" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    crypto: algif_skcipher - only call put_page on referenced and used pages

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
From: Stephan Mueller <smueller@chronox.de>
Date: Wed, 16 Aug 2017 11:56:24 +0200
Subject: crypto: algif_skcipher - only call put_page on referenced and used pages

From: Stephan Mueller <smueller@chronox.de>

commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.

For asynchronous operation, SGs are allocated without a page mapped to
them or with a page that is not used (ref-counted). If the SGL is freed,
the code must only call put_page for an SG if there was a page assigned
and ref-counted in the first place.

This fixes a kernel crash when using io_submit with more than one iocb
using the sendmsg and sendpage (vmsplice/splice) interface.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 crypto/algif_skcipher.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str
 	}
 	sgl = sreq->tsg;
 	n = sg_nents(sgl);
-	for_each_sg(sgl, sg, n, i)
-		put_page(sg_page(sg));
+	for_each_sg(sgl, sg, n, i) {
+		struct page *page = sg_page(sg);
+
+		/* some SGs may not have a page mapped */
+		if (page && atomic_read(&page->_count))
+			put_page(page);
+	}
 
 	kfree(sreq->tsg);
 }


Patches currently in stable-queue which might be from smueller@chronox.de are

queue-4.4/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch