On Tue, 2016-04-12 at 09:45 +0000, Xiaodong Liu wrote:
> In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is
> used
> when check and complete other jobs. If the memory of first completed
> req
> is freed, while still completing other jobs in the func, kernel will
> crash since NULL pointer is assigned to RIP.
> Signed-off-by: Xiaodong Liu <xiaodong.liu@xxxxxxxxx>
> ---
> arch/x86/crypto/sha-mb/sha1_mb.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/crypto/sha-mb/sha1_mb.c b/arch/x86/crypto/sha-
> mb/sha1_mb.c
> index a8a0224..081255c 100644
> --- a/arch/x86/crypto/sha-mb/sha1_mb.c
> +++ b/arch/x86/crypto/sha-mb/sha1_mb.c
> @@ -453,10 +453,10 @@ static int sha_complete_job(struct
> mcryptd_hash_request_ctx *rctx,
>
> req = cast_mcryptd_ctx_to_req(req_ctx);
> if (irqs_disabled())
> - rctx->complete(&req->base, ret);
> + req_ctx->complete(&req->base, ret);
> else {
> local_bh_disable();
> - rctx->complete(&req->base, ret);
> + req_ctx->complete(&req->base, ret);
> local_bh_enable();
> }
Agreed. Should use req_ctx which is the ctx for the
next job that have been completed in the lanes
instead of the first completed job rctx, whose
completion could have been called and released.
Should be propagated back to stable release.
Acked-by: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
Tim
>
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
