On Wed, Nov 01, 2017 at 03:25:16PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> When setting the secret with the "qat-dh" Diffie-Hellman implementation,
> if allocating 'g' failed, then 'p' was freed twice: once immediately,
> and once later when the crypto_kpp tfm was destroyed. Fix it by using
> qat_dh_clear_ctx() in the error paths, as that sets the pointers to
> NULL.
>
> Fixes: c9839143ebbf ("crypto: qat - Add DH support")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.8+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> drivers/crypto/qat/qat_common/qat_asym_algs.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/crypto/qat/qat_common/qat_asym_algs.c b/drivers/crypto/qat/qat_common/qat_asym_algs.c
> index 6f5dd68449c6..7655fdb499de 100644
> --- a/drivers/crypto/qat/qat_common/qat_asym_algs.c
> +++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c
> @@ -462,11 +462,8 @@ static int qat_dh_set_params(struct qat_dh_ctx *ctx, struct dh *params)
> }
>
> ctx->g = dma_zalloc_coherent(dev, ctx->p_size, &ctx->dma_g, GFP_KERNEL);
> - if (!ctx->g) {
> - dma_free_coherent(dev, ctx->p_size, ctx->p, ctx->dma_p);
> - ctx->p = NULL;
> + if (!ctx->g)
Sorry, I misread this code (and I didn't have the hardware to test this driver);
there is actually no bug here because it sets ctx->p to NULL.
I think we should still do this patch to simplify the code, but I'll update the
description to reflect that it's not actually fixing anything.
Eric
