PATCHES/patches/stable-crypto-n2-cure-use-after-free.patch

From 203f45003a3d03eea8fa28d74cfc74c354416fdb Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 19 Dec 2017 19:09:07 +0100
Subject: crypto: n2 - cure use after free

From: Jan Engelhardt <jengelh@inai.de>

commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.

queue_cache_init is first called for the Control Word Queue
(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
kmem_cache will be allocated. If the subsequent n2_register_algs call
fails, the kmem_cache will be released in queue_cache_destroy, but
queue_cache_init[0] is not set back to NULL.

So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
queue_cache_init will not allocate a kmem_cache again, but leave it
as its bogus value, causing a BUG() to trigger when queue_cache[0] is
eventually passed to kmem_cache_zalloc:

        n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
        n2_crypto: Registered NCS HVAPI version 2.0
        called queue_cache_init
        n2_crypto: md5 alg registration failed
        n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
        called queue_cache_destroy
        n2cp: probe of f028687c failed with error -22
        n2_crypto: Found NCP at /virtual-devices@100/ncp@6
        n2_crypto: Registered NCS HVAPI version 2.0
        called queue_cache_init
        kernel BUG at mm/slab.c:2993!
        Call Trace:
         [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
                  (inlined) kmem_cache_zalloc
                  (inlined) new_queue
                  (inlined) spu_queue_setup
                  (inlined) handle_exec_unit
         [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
         [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
         [000000000084b174] platform_drv_probe+0x34/0xc0

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/n2_core.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/crypto/n2_core.c
+++ b/drivers/crypto/n2_core.c
@@ -1641,6 +1641,7 @@ static int queue_cache_init(void)
                                          CWQ_ENTRY_SIZE, 0, NULL);
        if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
                kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
+               queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
                return -ENOMEM;
        }
        return 0;
@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void)
 {
        kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
        kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
+       queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
+       queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
 }
 
 static int spu_queue_register(struct spu_queue *p, unsigned long q_type)
1	From 203f45003a3d03eea8fa28d74cfc74c354416fdb Mon Sep 17 00:00:00 2001
2	From: Jan Engelhardt <jengelh@inai.de>
3	Date: Tue, 19 Dec 2017 19:09:07 +0100
4	Subject: crypto: n2 - cure use after free
5
6	From: Jan Engelhardt <jengelh@inai.de>
7
8	commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.
9
10	queue_cache_init is first called for the Control Word Queue
11	(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
12	kmem_cache will be allocated. If the subsequent n2_register_algs call
13	fails, the kmem_cache will be released in queue_cache_destroy, but
14	queue_cache_init[0] is not set back to NULL.
15
16	So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
17	queue_cache_init will not allocate a kmem_cache again, but leave it
18	as its bogus value, causing a BUG() to trigger when queue_cache[0] is
19	eventually passed to kmem_cache_zalloc:
20
21	n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
22	n2_crypto: Registered NCS HVAPI version 2.0
23	called queue_cache_init
24	n2_crypto: md5 alg registration failed
25	n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
26	called queue_cache_destroy
27	n2cp: probe of f028687c failed with error -22
28	n2_crypto: Found NCP at /virtual-devices@100/ncp@6
29	n2_crypto: Registered NCS HVAPI version 2.0
30	called queue_cache_init
31	kernel BUG at mm/slab.c:2993!
32	Call Trace:
33	[0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
34	(inlined) kmem_cache_zalloc
35	(inlined) new_queue
36	(inlined) spu_queue_setup
37	(inlined) handle_exec_unit
38	[0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
39	[0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
40	[000000000084b174] platform_drv_probe+0x34/0xc0
41
42	Signed-off-by: Jan Engelhardt <jengelh@inai.de>
43	Acked-by: David S. Miller <davem@davemloft.net>
44	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
45	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
46
47	---
48	drivers/crypto/n2_core.c \| 3 +++
49	1 file changed, 3 insertions(+)
50
51	--- a/drivers/crypto/n2_core.c
52	+++ b/drivers/crypto/n2_core.c
53	@@ -1641,6 +1641,7 @@ static int queue_cache_init(void)
54	CWQ_ENTRY_SIZE, 0, NULL);
55	if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
56	kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
57	+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
58	return -ENOMEM;
59	}
60	return 0;
61	@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void)
62	{
63	kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
64	kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
65	+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
66	+ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
67	}
68
69	static int spu_queue_register(struct spu_queue *p, unsigned long q_type)