diff mbox series

arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()

Message ID 20250326200918.125743-1-ebiggers@kernel.org (mailing list archive)
State New
Headers show
Series arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() | expand

Commit Message

Eric Biggers March 26, 2025, 8:09 p.m. UTC 
From: Eric Biggers <ebiggers@google.com>

Fix a silly bug where an array was used outside of its scope.

Fixes: 2051da858534 ("arm64/crc-t10dif: expose CRC-T10DIF function through lib")
Cc: stable@vger.kernel.org
Reported-by: David Binderman <dcb314@hotmail.com>
Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm64/lib/crc-t10dif-glue.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)


base-commit: 1e26c5e28ca5821a824e90dd359556f5e9e7b89f

Comments

David Binderman March 27, 2025, 7:58 a.m. UTC | #1 
Hello there Eric,

>Fix a silly bug where an array was used outside of its scope.

I am surprised your C compiler doesn't find this bug.
gcc 14.2 onwards should be able to, but clang not.

I will make an enhancement request in clang.

Regards

David Binderman

Fixes: 2051da858534 ("arm64/crc-t10dif: expose CRC-T10DIF function through lib")
Cc: stable@vger.kernel.org
Reported-by: David Binderman <dcb314@hotmail.com>
Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm64/lib/crc-t10dif-glue.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/lib/crc-t10dif-glue.c b/arch/arm64/lib/crc-t10dif-glue.c
index a007d0c5f3fed..bacd18f231688 100644
--- a/arch/arm64/lib/crc-t10dif-glue.c
+++ b/arch/arm64/lib/crc-t10dif-glue.c
@@ -43,13 +43,11 @@ u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
 
                         kernel_neon_begin();
                         crc_t10dif_pmull_p8(crc, data, length, buf);
                         kernel_neon_end();
 
-                       crc = 0;
-                       data = buf;
-                       length = sizeof(buf);
+                       return crc_t10dif_generic(0, buf, sizeof(buf));
                 }
         }
         return crc_t10dif_generic(crc, data, length);
 }
 EXPORT_SYMBOL(crc_t10dif_arch);

base-commit: 1e26c5e28ca5821a824e90dd359556f5e9e7b89f
--
2.49.0
Ard Biesheuvel March 27, 2025, 8:15 a.m. UTC | #2 
On Wed, 26 Mar 2025 at 21:09, Eric Biggers <ebiggers@kernel.org> wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> Fix a silly bug where an array was used outside of its scope.
>

Yeah - mea culpa.

And the fact that we exit with a tail call means buf[] may be
deallocated by the time crc_t10dif_generic() refers to it - I'm
surprised this didn't already break in testing, but I suppose no tail
call is issued for other reasons.
Ard Biesheuvel March 27, 2025, 8:28 a.m. UTC | #3 
On Thu, 27 Mar 2025 at 09:15, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Wed, 26 Mar 2025 at 21:09, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Fix a silly bug where an array was used outside of its scope.
> >
>
> Yeah - mea culpa.
>

Ehmm - tua culpa, actually :-)
Eric Biggers March 27, 2025, 4:36 p.m. UTC | #4 
On Thu, Mar 27, 2025 at 09:28:51AM +0100, Ard Biesheuvel wrote:
> On Thu, 27 Mar 2025 at 09:15, Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > On Wed, 26 Mar 2025 at 21:09, Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > From: Eric Biggers <ebiggers@google.com>
> > >
> > > Fix a silly bug where an array was used outside of its scope.
> > >
> >
> > Yeah - mea culpa.
> >
> 
> Ehmm - tua culpa, actually :-)

Yep, your original code was correct and I messed it up.

- Eric
Eric Biggers March 27, 2025, 4:41 p.m. UTC | #5 
On Thu, Mar 27, 2025 at 07:58:51AM +0000, David Binderman wrote:
> Hello there Eric,
> 
> >Fix a silly bug where an array was used outside of its scope.
> 
> I am surprised your C compiler doesn't find this bug.
> gcc 14.2 onwards should be able to, but clang not.
> 
> I will make an enhancement request in clang.
> 
> Regards
> 
> David Binderman
> 

Neither gcc 14.2.0 nor clang 19.1.7 found it, unfortunately.  And the code still
passed crc_kunit (even when run with have_pmull disabled so that the code is
reached).

- Eric
Eric Biggers March 27, 2025, 4:41 p.m. UTC | #6 
On Wed, Mar 26, 2025 at 01:09:18PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Fix a silly bug where an array was used outside of its scope.
> 
> Fixes: 2051da858534 ("arm64/crc-t10dif: expose CRC-T10DIF function through lib")
> Cc: stable@vger.kernel.org
> Reported-by: David Binderman <dcb314@hotmail.com>
> Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  arch/arm64/lib/crc-t10dif-glue.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)

Applied to https://web.git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=crc-next

- Eric
diff mbox series

Patch

diff --git a/arch/arm64/lib/crc-t10dif-glue.c b/arch/arm64/lib/crc-t10dif-glue.c
index a007d0c5f3fed..bacd18f231688 100644
--- a/arch/arm64/lib/crc-t10dif-glue.c
+++ b/arch/arm64/lib/crc-t10dif-glue.c
@@ -43,13 +43,11 @@  u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
 
 			kernel_neon_begin();
 			crc_t10dif_pmull_p8(crc, data, length, buf);
 			kernel_neon_end();
 
-			crc = 0;
-			data = buf;
-			length = sizeof(buf);
+			return crc_t10dif_generic(0, buf, sizeof(buf));
 		}
 	}
 	return crc_t10dif_generic(crc, data, length);
 }
 EXPORT_SYMBOL(crc_t10dif_arch);