On Thu, 2020-05-14 at 07:11 +0000, Krzysztof Struczynski wrote: > > > From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] > > > This patch avoids a kernel panic due to accessing an error pointer set > > > by crypto_alloc_shash(). It occurs especially when there are many > > > files that require an unsupported algorithm, as it would increase the > > > likelihood of the following race condition. > > > > > > Imagine we have two threads and in the first thread > > > crypto_alloc_shash() fails and returns an error pointer. > > > > > > *tfm = crypto_alloc_shash(algo, 0, CRYPTO_NOLOAD); > > > if (IS_ERR(*tfm)) { > > > rc = PTR_ERR(*tfm); <--- FIRST THREAD HERE! > > > pr_err("Can not allocate %s (reason: %ld)\n", algo, rc); > > > *tfm = NULL; > > > > > > And the second thread is here: > > > > > > if (*tfm == NULL) { <--- SECOND THREAD HERE! > > > mutex_lock(&mutex); > > > if (*tfm) > > > goto out; > > > > > > Since "*tfm" is non-NULL, we assume that it is valid and that leads to > > > a crash when it dereferences "*tfm". > > > > > > desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), > > > ^^^^ > > > > > > This patch fixes the problem by introducing a temporary "tmp_tfm" and > > > only setting "*tfm" at the very end after everything has succeeded. > > > The other change is that I reversed the initial "if (!*tfm) {" > > > condition and pull the code in one indent level. > > > > > > Cc: stable@xxxxxxxxxxxxxxx > > > Fixes: d46eb3699502b ("evm: crypto hash replaced by shash") > > > Reported-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > > Reported-by: Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx> > > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > Acked-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Acked-by: Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx> Thanks, Roberto and Krzysztof. This patch is now queued in the "fixes" branch. Mimi
