[bug report] crypto: hisilicon - SEC security accelerator driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Jonathan Cameron,

The patch 915e4e8413da: "crypto: hisilicon - SEC security accelerator
driver" from Jul 23, 2018, leads to the following static checker
warning:

	drivers/crypto/hisilicon/sec/sec_algs.c:865 sec_alg_skcipher_crypto()
	error: double free of 'split_sizes'

drivers/crypto/hisilicon/sec/sec_algs.c
   808  
   809          /* Cleanup - all elements in pointer arrays have been coppied */
   810          kfree(splits_in_nents);
   811          kfree(splits_in);
   812          kfree(splits_out_nents);
   813          kfree(splits_out);
   814          kfree(split_sizes);
                      ^^^^^^^^^^^
Free

   815  
   816          /* Grab a big lock for a long time to avoid concurrency issues */
   817          mutex_lock(&queue->queuelock);
   818  
   819          /*
   820           * Can go on to queue if we have space in either:
   821           * 1) The hardware queue and no software queue
   822           * 2) The software queue
   823           * AND there is nothing in the backlog.  If there is backlog we
   824           * have to only queue to the backlog queue and return busy.
   825           */
   826          if ((!sec_queue_can_enqueue(queue, steps) &&
   827               (!queue->havesoftqueue ||
   828                kfifo_avail(&queue->softqueue) > steps)) ||
   829              !list_empty(&ctx->backlog)) {
   830                  if ((skreq->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)) {
   831                          list_add_tail(&sec_req->backlog_head, &ctx->backlog);
   832                          mutex_unlock(&queue->queuelock);
   833                          return -EBUSY;
   834                  }
   835  
   836                  ret = -EBUSY;
   837                  mutex_unlock(&queue->queuelock);
   838                  goto err_free_elements;
                        ^^^^^^^^^^^^^^^^^^^^^^
   839          }
   840          ret = sec_send_request(sec_req, queue);
   841          mutex_unlock(&queue->queuelock);
   842          if (ret)
   843                  goto err_free_elements;
                        ^^^^^^^^^^^^^^^^^^^^^^
   844  
   845          return -EINPROGRESS;
   846  
   847  err_free_elements:
   848          list_for_each_entry_safe(el, temp, &sec_req->elements, head) {
   849                  list_del(&el->head);
   850                  sec_alg_free_el(el, info);
   851          }
   852          if (crypto_skcipher_ivsize(atfm))
   853                  dma_unmap_single(info->dev, sec_req->dma_iv,
   854                                   crypto_skcipher_ivsize(atfm),
   855                                   DMA_BIDIRECTIONAL);
   856  err_unmap_out_sg:
   857          if (skreq->src != skreq->dst)
   858                  sec_unmap_sg_on_err(skreq->dst, steps, splits_out,
   859                                      splits_out_nents, sec_req->len_out,
   860                                      info->dev);
   861  err_unmap_in_sg:
   862          sec_unmap_sg_on_err(skreq->src, steps, splits_in, splits_in_nents,
   863                              sec_req->len_in, info->dev);
   864  err_free_split_sizes:
   865          kfree(split_sizes);
                ^^^^^^^^^^^^^^^^^^^
Double free.

   866  
   867          return ret;
   868  }

regards,
dan carpenter
[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux