1 |
From 203f45003a3d03eea8fa28d74cfc74c354416fdb Mon Sep 17 00:00:00 2001 |
2 |
From: Jan Engelhardt <jengelh@inai.de> |
3 |
Date: Tue, 19 Dec 2017 19:09:07 +0100 |
4 |
Subject: crypto: n2 - cure use after free |
5 |
|
6 |
From: Jan Engelhardt <jengelh@inai.de> |
7 |
|
8 |
commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream. |
9 |
|
10 |
queue_cache_init is first called for the Control Word Queue |
11 |
(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new |
12 |
kmem_cache will be allocated. If the subsequent n2_register_algs call |
13 |
fails, the kmem_cache will be released in queue_cache_destroy, but |
14 |
queue_cache_init[0] is not set back to NULL. |
15 |
|
16 |
So when the Module Arithmetic Unit gets probed next (n2_mau_probe), |
17 |
queue_cache_init will not allocate a kmem_cache again, but leave it |
18 |
as its bogus value, causing a BUG() to trigger when queue_cache[0] is |
19 |
eventually passed to kmem_cache_zalloc: |
20 |
|
21 |
n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7 |
22 |
n2_crypto: Registered NCS HVAPI version 2.0 |
23 |
called queue_cache_init |
24 |
n2_crypto: md5 alg registration failed |
25 |
n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms. |
26 |
called queue_cache_destroy |
27 |
n2cp: probe of f028687c failed with error -22 |
28 |
n2_crypto: Found NCP at /virtual-devices@100/ncp@6 |
29 |
n2_crypto: Registered NCS HVAPI version 2.0 |
30 |
called queue_cache_init |
31 |
kernel BUG at mm/slab.c:2993! |
32 |
Call Trace: |
33 |
[0000000000604488] kmem_cache_alloc+0x1a8/0x1e0 |
34 |
(inlined) kmem_cache_zalloc |
35 |
(inlined) new_queue |
36 |
(inlined) spu_queue_setup |
37 |
(inlined) handle_exec_unit |
38 |
[0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto] |
39 |
[0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto] |
40 |
[000000000084b174] platform_drv_probe+0x34/0xc0 |
41 |
|
42 |
Signed-off-by: Jan Engelhardt <jengelh@inai.de> |
43 |
Acked-by: David S. Miller <davem@davemloft.net> |
44 |
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
45 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
46 |
|
47 |
--- |
48 |
drivers/crypto/n2_core.c | 3 +++ |
49 |
1 file changed, 3 insertions(+) |
50 |
|
51 |
--- a/drivers/crypto/n2_core.c |
52 |
+++ b/drivers/crypto/n2_core.c |
53 |
@@ -1641,6 +1641,7 @@ static int queue_cache_init(void) |
54 |
CWQ_ENTRY_SIZE, 0, NULL); |
55 |
if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) { |
56 |
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); |
57 |
+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; |
58 |
return -ENOMEM; |
59 |
} |
60 |
return 0; |
61 |
@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void) |
62 |
{ |
63 |
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]); |
64 |
kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]); |
65 |
+ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL; |
66 |
+ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL; |
67 |
} |
68 |
|
69 |
static int spu_queue_register(struct spu_queue *p, unsigned long q_type) |