Am Dienstag, 13. September 2016, 18:08:16 CEST schrieb Herbert Xu:
Hi Herbert,
> This patch appears to be papering over a real bug.
>
> The async path should be exactly the same as the sync path, except
> that we don't wait for completion. So the question is why are we
> getting this crash here for async but not sync?
At least one reason is found in skcipher_recvmsg_async with the following code
path:
if (txbufs == tx_nents) {
struct scatterlist *tmp;
int x;
/* Ran out of tx slots in async request
* need to expand */
tmp = kcalloc(tx_nents * 2, sizeof(*tmp),
GFP_KERNEL);
if (!tmp)
goto free;
sg_init_table(tmp, tx_nents * 2);
for (x = 0; x < tx_nents; x++)
sg_set_page(&tmp[x], sg_page(&sreq->tsg[x]),
sreq->tsg[x].length,
sreq->tsg[x].offset);
kfree(sreq->tsg);
sreq->tsg = tmp;
tx_nents *= 2;
mark = true;
}
==> the code allocates twice the amount of the previously existing memory,
copies the existing SGs over, but does not set the remaining SGs to anything.
If the caller provides less pages than the number of allocated SGs, some SGs
are unset. Hence, the deallocation must not do anything with the yet
uninitialized SGs.
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
