Commit cb2369cb authored by Weili Qian's avatar Weili Qian Committed by JiangShui
Browse files

crypto: hisilicon/sec2: fix memory use-after-free issue 

driver inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8LFYK


CVE: NA

----------------------------------------------------------------------

When the number of packets being processed in the hardware
queue is greater than 512, the SEC driver continues to send the
packet to the hardware, but adds the packet to the backlog list.
Then, the SEC driver returns -EBUSY to the caller, and the caller
stops sending packets. When the number of packets in the queue queried
in the callback is less than 512, The packet sending thread is woken up.

When the number of send packet threads is greater than 512, packages in the
backlog may be complete but the packet is not deleted from list. The
released memory is accessed during the deletion, causing a system panic.

Therefore, delete the backlog, determine whether the packet sending thread
needs to be woken up based on 'fake_busy' in the sec_req, and then invoke
the callback function of the user to ensure that the thread is woken up
before releasing the req memory.

log likes:
[ 169.430697][ T1354] CPU: 27 PID: 1354 Comm: kworker/u262:1 Kdump: loaded Not tainted 5.10.0+ #1
[ 169.439678][ T1354] Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V5.B211.01 11/10/2021
[ 169.450421][ T1354] Workqueue: 0000:76:00.0 qm_work_process [hisi_qm]
[ 169.457050][ T1354] Call trace:
[ 169.460285][ T1354] dump_backtrace+0x0/0x300
[ 169.464780][ T1354] show_stack+0x20/0x30
[ 169.468936][ T1354] dump_stack+0x104/0x17c
[ 169.473240][ T1354] print_address_description.constprop.0+0x68/0x204
[ 169.479889][ T1354] __kasan_report+0xe0/0x140
[ 169.484463][ T1354] kasan_report+0x44/0xe0
[ 169.488771][ T1354] __asan_load8+0x94/0xd0
[ 169.493088][ T1354] __list_del_entry_valid+0x20/0x180
[ 169.498408][ T1354] sec_back_req_clear+0x184/0x2dc [hisi_sec2]
[ 169.504494][ T1354] sec_skcipher_callback+0x84/0x150 [hisi_sec2]
[ 169.510800][ T1354] sec_req_cb+0x1d4/0x334 [hisi_sec2]
[ 169.516227][ T1354] qm_poll_req_cb+0x170/0x20c [hisi_qm]
[ 169.524821][ T1354] qm_work_process+0xf8/0x124 [hisi_qm]
[ 169.533436][ T1354] process_one_work+0x3a8/0x860
[ 169.541063][ T1354] worker_thread+0x280/0x670
[ 169.548349][ T1354] kthread+0x18c/0x1d0
[ 169.555169][ T1354] ret_from_fork+0x10/0x18
[ 169.562107][ T1354]

Signed-off-by: default avatarWeili Qian <qianweili@huawei.com>
Signed-off-by: default avatarJiangShui Yang <yangjiangshui@h-partners.com>
parent 39014ae9
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment