Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/815530/?format=api
{ "id": 815530, "url": "http://patchwork.ozlabs.org/api/patches/815530/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/67156bd23e71a80dcd32c1ec084e26ed4d114b47.1505825623.git.christophe.leroy@c-s.fr/", "project": { "id": 2, "url": "http://patchwork.ozlabs.org/api/projects/2/?format=api", "name": "Linux PPC development", "link_name": "linuxppc-dev", "list_id": "linuxppc-dev.lists.ozlabs.org", "list_email": "linuxppc-dev@lists.ozlabs.org", "web_url": "https://github.com/linuxppc/wiki/wiki", "scm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git", "webscm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/", "list_archive_url": "https://lore.kernel.org/linuxppc-dev/", "list_archive_url_format": "https://lore.kernel.org/linuxppc-dev/{}/", "commit_url_format": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}" }, "msgid": "<67156bd23e71a80dcd32c1ec084e26ed4d114b47.1505825623.git.christophe.leroy@c-s.fr>", "list_archive_url": "https://lore.kernel.org/linuxppc-dev/67156bd23e71a80dcd32c1ec084e26ed4d114b47.1505825623.git.christophe.leroy@c-s.fr/", "date": "2017-09-19T12:59:11", "name": "[6/6] crypto: talitos - fix memory corruption on SEC2", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": false, "hash": "7b8200b7d096bf3306bc64b6fc2b9a1525f583b8", "submitter": { "id": 5234, "url": "http://patchwork.ozlabs.org/api/people/5234/?format=api", "name": "Christophe Leroy", "email": "christophe.leroy@c-s.fr" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/67156bd23e71a80dcd32c1ec084e26ed4d114b47.1505825623.git.christophe.leroy@c-s.fr/mbox/", "series": [ { "id": 3874, "url": "http://patchwork.ozlabs.org/api/series/3874/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=3874", "date": "2017-09-19T12:58:59", "name": "crypto: talitos - various fixes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/3874/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/815530/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/815530/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>", "X-Original-To": [ "patchwork-incoming@ozlabs.org", "linuxppc-dev@lists.ozlabs.org" ], "Delivered-To": [ "patchwork-incoming@ozlabs.org", "linuxppc-dev@lists.ozlabs.org" ], "Received": [ "from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xxNWD5p1Lz9s4s\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue, 19 Sep 2017 23:09:28 +1000 (AEST)", "from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3xxNWD4rC2zDrS2\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue, 19 Sep 2017 23:09:28 +1000 (AEST)", "from pegase1.c-s.fr (pegase1.c-s.fr [93.17.236.30])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3xxNHR1NBrzDqXv\n\tfor <linuxppc-dev@lists.ozlabs.org>;\n\tTue, 19 Sep 2017 22:59:15 +1000 (AEST)", "from localhost (mailhub1-int [192.168.12.234])\n\tby localhost (Postfix) with ESMTP id 3xxNHC3p3Pz9ttBw;\n\tTue, 19 Sep 2017 14:59:03 +0200 (CEST)", "from pegase1.c-s.fr ([192.168.12.234])\n\tby localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new,\n\tport 10024)\n\twith ESMTP id V1wwWzq_oXTM; Tue, 19 Sep 2017 14:59:03 +0200 (CEST)", "from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])\n\tby pegase1.c-s.fr (Postfix) with ESMTP id 3xxNHC3DKGz9ttBd;\n\tTue, 19 Sep 2017 14:59:03 +0200 (CEST)", "from localhost (localhost [127.0.0.1])\n\tby messagerie.si.c-s.fr (Postfix) with ESMTP id E010C8B827;\n\tTue, 19 Sep 2017 14:59:11 +0200 (CEST)", "from messagerie.si.c-s.fr ([127.0.0.1])\n\tby localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new,\n\tport 10023)\n\twith ESMTP id km_CiMVjW4Ga; Tue, 19 Sep 2017 14:59:11 +0200 (CEST)", "from po15668-vm-win7.idsi0.si.c-s.fr (po15451.idsi0.si.c-s.fr\n\t[172.25.231.1])\n\tby messagerie.si.c-s.fr (Postfix) with ESMTP id B6CAA8B810;\n\tTue, 19 Sep 2017 14:59:11 +0200 (CEST)", "by po15668-vm-win7.idsi0.si.c-s.fr (Postfix, from userid 0)\n\tid 9E2A4689A5; Tue, 19 Sep 2017 14:59:11 +0200 (CEST)" ], "Authentication-Results": "ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=c-s.fr\n\t(client-ip=93.17.236.30; helo=pegase1.c-s.fr;\n\tenvelope-from=christophe.leroy@c-s.fr; receiver=<UNKNOWN>)", "X-Virus-Scanned": [ "Debian amavisd-new at c-s.fr", "amavisd-new at c-s.fr" ], "Message-Id": "<67156bd23e71a80dcd32c1ec084e26ed4d114b47.1505825623.git.christophe.leroy@c-s.fr>", "In-Reply-To": "<cover.1505825623.git.christophe.leroy@c-s.fr>", "References": "<cover.1505825623.git.christophe.leroy@c-s.fr>", "From": "Christophe Leroy <christophe.leroy@c-s.fr>", "Subject": "[PATCH 6/6] crypto: talitos - fix memory corruption on SEC2", "To": "Herbert Xu <herbert@gondor.apana.org.au>,\n\tDavid S. Miller <davem@davemloft.net>", "Date": "Tue, 19 Sep 2017 14:59:11 +0200 (CEST)", "X-BeenThere": "linuxppc-dev@lists.ozlabs.org", "X-Mailman-Version": "2.1.24", "Precedence": "list", "List-Id": "Linux on PowerPC Developers Mail List\n\t<linuxppc-dev.lists.ozlabs.org>", "List-Unsubscribe": "<https://lists.ozlabs.org/options/linuxppc-dev>,\n\t<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>", "List-Archive": "<http://lists.ozlabs.org/pipermail/linuxppc-dev/>", "List-Post": "<mailto:linuxppc-dev@lists.ozlabs.org>", "List-Help": "<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>", "List-Subscribe": "<https://lists.ozlabs.org/listinfo/linuxppc-dev>,\n\t<mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>", "Cc": "linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,\n\tlinux-crypto@vger.kernel.org", "Errors-To": "linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org", "Sender": "\"Linuxppc-dev\"\n\t<linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>" }, "content": "On SEC2, when using the old descriptors type (hmac snoop no afeu)\nfor doing IPsec, the CICV out pointeur points out of the allocated\nmemory.\n\n[ 2.502554] =============================================================================\n[ 2.510740] BUG dma-kmalloc-256 (Not tainted): Redzone overwritten\n[ 2.516907] -----------------------------------------------------------------------------\n[ 2.516907]\n[ 2.526535] Disabling lock debugging due to kernel taint\n[ 2.531845] INFO: 0xde858108-0xde85810b. First byte 0xf8 instead of 0xcc\n[ 2.538549] INFO: Allocated in 0x806181a9 age=0 cpu=0 pid=58\n[ 2.544229] \t__kmalloc+0x374/0x564\n[ 2.547649] \ttalitos_edesc_alloc+0x17c/0x48c\n[ 2.551929] \taead_edesc_alloc+0x80/0x154\n[ 2.555863] \taead_encrypt+0x30/0xe0\n[ 2.559368] \t__test_aead+0x5a0/0x1f3c\n[ 2.563042] \ttest_aead+0x2c/0x110\n[ 2.566371] \talg_test_aead+0x5c/0xf4\n[ 2.569958] \talg_test+0x1dc/0x5a0\n[ 2.573305] \tcryptomgr_test+0x50/0x70\n[ 2.576984] \tkthread+0xd8/0x134\n[ 2.580155] \tret_from_kernel_thread+0x5c/0x64\n[ 2.584534] INFO: Freed in ipsec_esp_encrypt_done+0x130/0x240 age=6 cpu=0 pid=0\n[ 2.591839] \tipsec_esp_encrypt_done+0x130/0x240\n[ 2.596395] \tflush_channel+0x1dc/0x488\n[ 2.600161] \ttalitos2_done_4ch+0x30/0x200\n[ 2.604185] \ttasklet_action+0xa0/0x13c\n[ 2.607948] \t__do_softirq+0x148/0x6cc\n[ 2.611623] \tirq_exit+0xc0/0x124\n[ 2.614869] \tcall_do_irq+0x24/0x3c\n[ 2.618292] \tdo_IRQ+0x78/0x108\n[ 2.621369] \tret_from_except+0x0/0x14\n[ 2.625055] \tfinish_task_switch+0x58/0x350\n[ 2.629165] \tschedule+0x80/0x134\n[ 2.632409] \tschedule_preempt_disabled+0x38/0xc8\n[ 2.637042] \tcpu_startup_entry+0xe4/0x190\n[ 2.641074] \tstart_kernel+0x3f4/0x408\n[ 2.644741] \t0x3438\n[ 2.646857] INFO: Slab 0xdffbdb00 objects=9 used=1 fp=0xde8581c0 flags=0x0080\n[ 2.653978] INFO: Object 0xde858008 @offset=8 fp=0xca4395df\n[ 2.653978]\n[ 2.661032] Redzone de858000: cc cc cc cc cc cc cc cc ........\n[ 2.669029] Object de858008: 00 00 00 02 00 00 00 02 00 6b 6b 6b 1e 83 ea 28 .........kkk...(\n[ 2.677628] Object de858018: 00 00 00 70 1e 85 80 64 ff 73 1d 21 6b 6b 6b 6b ...p...d.s.!kkkk\n[ 2.686228] Object de858028: 00 20 00 00 1e 84 17 24 00 10 00 00 1e 85 70 00 . .....$......p.\n[ 2.694829] Object de858038: 00 18 00 00 1e 84 17 44 00 08 00 00 1e 83 ea 28 .......D.......(\n[ 2.703430] Object de858048: 00 80 00 00 1e 84 f0 00 00 80 00 00 1e 85 70 10 ..............p.\n[ 2.712030] Object de858058: 00 20 6b 00 1e 85 80 f4 6b 6b 6b 6b 00 80 02 00 . k.....kkkk....\n[ 2.720629] Object de858068: 1e 84 f0 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk\n[ 2.729230] Object de858078: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.737830] Object de858088: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.746429] Object de858098: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.755029] Object de8580a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.763628] Object de8580b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.772229] Object de8580c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.780829] Object de8580d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n[ 2.789430] Object de8580e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 73 b0 ea 9f kkkkkkkkkkkks...\n[ 2.798030] Object de8580f8: e8 18 80 d6 56 38 44 c0 db e3 4f 71 f7 ce d1 d3 ....V8D...Oq....\n[ 2.806629] Redzone de858108: f8 bd 3e 4f ..>O\n[ 2.814279] Padding de8581b0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ\n[ 2.822283] CPU: 0 PID: 0 Comm: swapper Tainted: G B 4.9.50-g995be12679 #179\n[ 2.831819] Call Trace:\n[ 2.834301] [dffefd20] [c01aa9a8] check_bytes_and_report+0x100/0x194 (unreliable)\n[ 2.841801] [dffefd50] [c01aac3c] check_object+0x200/0x530\n[ 2.847306] [dffefd80] [c01ae584] free_debug_processing+0x290/0x690\n[ 2.853585] [dffefde0] [c01aec8c] __slab_free+0x308/0x628\n[ 2.859000] [dffefe80] [c05057f4] ipsec_esp_encrypt_done+0x130/0x240\n[ 2.865378] [dffefeb0] [c05002c4] flush_channel+0x1dc/0x488\n[ 2.870968] [dffeff10] [c05007a8] talitos2_done_4ch+0x30/0x200\n[ 2.876814] [dffeff30] [c002fe38] tasklet_action+0xa0/0x13c\n[ 2.882399] [dffeff60] [c002f118] __do_softirq+0x148/0x6cc\n[ 2.887896] [dffeffd0] [c002f954] irq_exit+0xc0/0x124\n[ 2.892968] [dffefff0] [c0013adc] call_do_irq+0x24/0x3c\n[ 2.898213] [c0d4be00] [c000757c] do_IRQ+0x78/0x108\n[ 2.903113] [c0d4be30] [c0015c08] ret_from_except+0x0/0x14\n[ 2.908634] --- interrupt: 501 at finish_task_switch+0x70/0x350\n[ 2.908634] LR = finish_task_switch+0x58/0x350\n[ 2.919327] [c0d4bf20] [c085e1d4] schedule+0x80/0x134\n[ 2.924398] [c0d4bf50] [c085e2c0] schedule_preempt_disabled+0x38/0xc8\n[ 2.930853] [c0d4bf60] [c007f064] cpu_startup_entry+0xe4/0x190\n[ 2.936707] [c0d4bfb0] [c096c434] start_kernel+0x3f4/0x408\n[ 2.942198] [c0d4bff0] [00003438] 0x3438\n[ 2.946137] FIX dma-kmalloc-256: Restoring 0xde858108-0xde85810b=0xcc\n[ 2.946137]\n[ 2.954158] FIX dma-kmalloc-256: Object at 0xde858008 not freed\n\nThis patch reworks the handling of the CICV out in order\nto properly handle all cases.\n\nSigned-off-by: Christophe Leroy <christophe.leroy@c-s.fr>\n---\n drivers/crypto/talitos.c | 40 ++++++++++++++++++++++++++--------------\n 1 file changed, 26 insertions(+), 14 deletions(-)", "diff": "diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c\nindex a5b608b54c74..e7e31f8fd3d1 100644\n--- a/drivers/crypto/talitos.c\n+++ b/drivers/crypto/talitos.c\n@@ -1239,14 +1239,15 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq,\n \t\t\tdma_map_sg(dev, areq->dst, sg_count, DMA_FROM_DEVICE);\n \t}\n \n-\tsg_count = talitos_sg_map(dev, areq->dst, cryptlen, edesc,\n-\t\t\t\t &desc->ptr[5], sg_count, areq->assoclen,\n-\t\t\t\t tbl_off);\n+\tret = talitos_sg_map(dev, areq->dst, cryptlen, edesc, &desc->ptr[5],\n+\t\t\t sg_count, areq->assoclen, tbl_off);\n \n \tif (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)\n \t\tto_talitos_ptr_ext_or(&desc->ptr[5], authsize, is_sec1);\n \n-\tif (sg_count > 1) {\n+\t/* ICV data */\n+\tif (ret > 1) {\n+\t\ttbl_off += ret;\n \t\tedesc->icv_ool = true;\n \t\tsync_needed = true;\n \n@@ -1256,9 +1257,7 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq,\n \t\t\t\t sizeof(struct talitos_ptr) + authsize;\n \n \t\t\t/* Add an entry to the link table for ICV data */\n-\t\t\ttbl_ptr += sg_count - 1;\n-\t\t\tto_talitos_ptr_ext_set(tbl_ptr, 0, is_sec1);\n-\t\t\ttbl_ptr++;\n+\t\t\tto_talitos_ptr_ext_set(tbl_ptr - 1, 0, is_sec1);\n \t\t\tto_talitos_ptr_ext_set(tbl_ptr, DESC_PTR_LNKTBL_RETURN,\n \t\t\t\t\t is_sec1);\n \t\t\tto_talitos_ptr_len(tbl_ptr, authsize, is_sec1);\n@@ -1266,14 +1265,27 @@ static int ipsec_esp(struct talitos_edesc *edesc, struct aead_request *areq,\n \t\t\t/* icv data follows link tables */\n \t\t\tto_talitos_ptr(tbl_ptr, edesc->dma_link_tbl + offset,\n \t\t\t\t is_sec1);\n-\t\t}\n-\t}\n+\t\t} else {\n+\t\t\tdma_addr_t addr = edesc->dma_link_tbl;\n \n-\t/* ICV data */\n-\tif (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {\n-\t\tto_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);\n-\t\tto_talitos_ptr(&desc->ptr[6], edesc->dma_link_tbl +\n-\t\t\t areq->assoclen + cryptlen, is_sec1);\n+\t\t\tif (is_sec1)\n+\t\t\t\taddr += areq->assoclen + cryptlen;\n+\t\t\telse\n+\t\t\t\taddr += sizeof(struct talitos_ptr) * tbl_off;\n+\n+\t\t\tto_talitos_ptr(&desc->ptr[6], addr, is_sec1);\n+\t\t\tto_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);\n+\t\t}\n+\t} else if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {\n+\t\tret = talitos_sg_map(dev, areq->dst, authsize, edesc,\n+\t\t\t\t &desc->ptr[6], sg_count, areq->assoclen +\n+\t\t\t\t\t\t\t cryptlen,\n+\t\t\t\t tbl_off);\n+\t\tif (ret > 1) {\n+\t\t\ttbl_off += ret;\n+\t\t\tedesc->icv_ool = true;\n+\t\t\tsync_needed = true;\n+\t\t}\n \t}\n \n \t/* iv out */\n", "prefixes": [ "6/6" ] }