On Tue, Nov 07, 2023 at 02:37:17AM +0000, Dmitry Safonov wrote: > The cloned child of ahash that uses shash under the hood should use > shash helpers (like crypto_shash_setkey()). > > The following panic may be observed on TCP-AO selftests: > > > ================================================================== > > BUG: KASAN: wild-memory-access in crypto_mod_get+0x1b/0x60 > > Write of size 4 at addr 5d5be0ff5c415e14 by task connect_ipv4/1397 > > > > CPU: 0 PID: 1397 Comm: connect_ipv4 Tainted: G W 6.6.0+ #47 > > Call Trace: > > <TASK> > > dump_stack_lvl+0x46/0x70 > > kasan_report+0xc3/0xf0 > > kasan_check_range+0xec/0x190 > > crypto_mod_get+0x1b/0x60 > > crypto_spawn_alg+0x53/0x140 > > crypto_spawn_tfm2+0x13/0x60 > > hmac_init_tfm+0x25/0x60 > > crypto_ahash_setkey+0x8b/0x100 > > tcp_ao_add_cmd+0xe7a/0x1120 > > do_tcp_setsockopt+0x5ed/0x12a0 > > do_sock_setsockopt+0x82/0x100 > > __sys_setsockopt+0xe9/0x160 > > __x64_sys_setsockopt+0x60/0x70 > > do_syscall_64+0x3c/0xe0 > > entry_SYSCALL_64_after_hwframe+0x46/0x4e > > ================================================================== > > general protection fault, probably for non-canonical address 0x5d5be0ff5c415e14: 0000 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 1397 Comm: connect_ipv4 Tainted: G B W 6.6.0+ #47 > > Call Trace: > > <TASK> > > ? die_addr+0x3c/0xa0 > > ? exc_general_protection+0x144/0x210 > > ? asm_exc_general_protection+0x22/0x30 > > ? add_taint+0x26/0x90 > > ? crypto_mod_get+0x20/0x60 > > ? crypto_mod_get+0x1b/0x60 > > ? ahash_def_finup_done1+0x58/0x80 > > crypto_spawn_alg+0x53/0x140 > > crypto_spawn_tfm2+0x13/0x60 > > hmac_init_tfm+0x25/0x60 > > crypto_ahash_setkey+0x8b/0x100 > > tcp_ao_add_cmd+0xe7a/0x1120 > > do_tcp_setsockopt+0x5ed/0x12a0 > > do_sock_setsockopt+0x82/0x100 > > __sys_setsockopt+0xe9/0x160 > > __x64_sys_setsockopt+0x60/0x70 > > do_syscall_64+0x3c/0xe0 > > entry_SYSCALL_64_after_hwframe+0x46/0x4e > > </TASK> > > RIP: 0010:crypto_mod_get+0x20/0x60 > > Make sure that the child/clone has using_shash set when parent is > an shash user. > > Fixes: 2f1f34c1bf7b ("crypto: ahash - optimize performance when wrapping shash") > Cc: David Ahern <dsahern@xxxxxxxxxx> > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > Cc: Dmitry Safonov <0x7f454c46@xxxxxxxxx> > Cc: Eric Biggers <ebiggers@xxxxxxxxxx> > Cc: Eric Dumazet <edumazet@xxxxxxxxxx> > Cc: Francesco Ruggeri <fruggeri05@xxxxxxxxx> > To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Cc: Jakub Kicinski <kuba@xxxxxxxxxx> > Cc: Paolo Abeni <pabeni@xxxxxxxxxx> > Cc: Salam Noureddine <noureddine@xxxxxxxxxx> > Cc: netdev@xxxxxxxxxxxxxxx > Cc: linux-crypto@xxxxxxxxxxxxxxx > Cc: linux-kernel@xxxxxxxxxxxxxxx > Signed-off-by: Dmitry Safonov <dima@xxxxxxxxxx> > --- > crypto/ahash.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/crypto/ahash.c b/crypto/ahash.c > index deee55f939dc..80c3e5354711 100644 > --- a/crypto/ahash.c > +++ b/crypto/ahash.c > @@ -651,6 +651,7 @@ struct crypto_ahash *crypto_clone_ahash(struct crypto_ahash *hash) > err = PTR_ERR(shash); > goto out_free_nhash; > } > + nhash->using_shash = true; > *nctx = shash; > return nhash; > } > > base-commit: be3ca57cfb777ad820c6659d52e60bbdd36bf5ff Thanks: Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> Note that this bug would have been prevented if crypto_clone_*() were covered by the crypto self-tests. - Eric