| Message ID | 1460454351-43534-1-git-send-email-xiaodong.liu@intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
On Tue, 2016-04-12 at 09:45 +0000, Xiaodong Liu wrote: > In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is > used > when check and complete other jobs. If the memory of first completed > req > is freed, while still completing other jobs in the func, kernel will > crash since NULL pointer is assigned to RIP. > Signed-off-by: Xiaodong Liu <xiaodong.liu@intel.com> > --- > arch/x86/crypto/sha-mb/sha1_mb.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/crypto/sha-mb/sha1_mb.c b/arch/x86/crypto/sha- > mb/sha1_mb.c > index a8a0224..081255c 100644 > --- a/arch/x86/crypto/sha-mb/sha1_mb.c > +++ b/arch/x86/crypto/sha-mb/sha1_mb.c > @@ -453,10 +453,10 @@ static int sha_complete_job(struct > mcryptd_hash_request_ctx *rctx, > > req = cast_mcryptd_ctx_to_req(req_ctx); > if (irqs_disabled()) > - rctx->complete(&req->base, ret); > + req_ctx->complete(&req->base, ret); > else { > local_bh_disable(); > - rctx->complete(&req->base, ret); > + req_ctx->complete(&req->base, ret); > local_bh_enable(); > } Agreed. Should use req_ctx which is the ctx for the next job that have been completed in the lanes instead of the first completed job rctx, whose completion could have been called and released. Should be propagated back to stable release. Acked-by: Tim Chen <tim.c.chen@linux.intel.com> Tim > > } -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 12, 2016 at 09:45:51AM +0000, Xiaodong Liu wrote: > In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used > when check and complete other jobs. If the memory of first completed req > is freed, while still completing other jobs in the func, kernel will > crash since NULL pointer is assigned to RIP. > > Signed-off-by: Xiaodong Liu <xiaodong.liu@intel.com> Applied.
diff --git a/arch/x86/crypto/sha-mb/sha1_mb.c b/arch/x86/crypto/sha-mb/sha1_mb.c index a8a0224..081255c 100644 --- a/arch/x86/crypto/sha-mb/sha1_mb.c +++ b/arch/x86/crypto/sha-mb/sha1_mb.c @@ -453,10 +453,10 @@ static int sha_complete_job(struct mcryptd_hash_request_ctx *rctx, req = cast_mcryptd_ctx_to_req(req_ctx); if (irqs_disabled()) - rctx->complete(&req->base, ret); + req_ctx->complete(&req->base, ret); else { local_bh_disable(); - rctx->complete(&req->base, ret); + req_ctx->complete(&req->base, ret); local_bh_enable(); } }
In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used when check and complete other jobs. If the memory of first completed req is freed, while still completing other jobs in the func, kernel will crash since NULL pointer is assigned to RIP. Signed-off-by: Xiaodong Liu <xiaodong.liu@intel.com> --- arch/x86/crypto/sha-mb/sha1_mb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)