Re: [PATCH] crypto: ixp4xx - Fix error handling path in 'aead_perform()'

From: Arnd Bergmann
Date: Thu Jul 20 2017 - 03:37:15 EST


On Wed, Jul 19, 2017 at 11:47 PM, Christophe JAILLET
<christophe.jaillet@xxxxxxxxxx> wrote:
> In commit 0f987e25cb8a, the source processing has been moved in front of
> the destination processing, but the error handling path has not been
> modified accordingly.
> Free resources in the correct order to avoid some leaks.
>
> Fixes: 0f987e25cb8a ("crypto: ixp4xx - Fix false lastlen uninitialised warning")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>

Thanks for spotting my mistake!

I've looked at it again and think it's unfortunately still wrong with
your patch,
as there is a 'goto free_buf_src' after dma_pool_alloc(), and that now needs
to jump to free_buf_dst instead. We may also need an extra check to make
sure we don't free an uninitialized pointer again.

Can you have a look at this version below and send whatever you find
to be correct in the end?

Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>

diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
index 427cbe012729..08b740dddb20 100644
--- a/drivers/crypto/ixp4xx_crypto.c
+++ b/drivers/crypto/ixp4xx_crypto.c
@@ -1073,7 +1073,7 @@ static int aead_perform(struct aead_request
*req, int encrypt,
req_ctx->hmac_virt = dma_pool_alloc(buffer_pool, flags,
&crypt->icv_rev_aes);
if (unlikely(!req_ctx->hmac_virt))
- goto free_buf_src;
+ goto free_buf_dst;
if (!encrypt) {
scatterwalk_map_and_copy(req_ctx->hmac_virt,
req->src, cryptlen, authsize, 0);
@@ -1088,10 +1088,11 @@ static int aead_perform(struct aead_request
*req, int encrypt,
BUG_ON(qmgr_stat_overflow(SEND_QID));
return -EINPROGRESS;

+free_buf_dst:
+ if (crypt->dst)
+ free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
free_buf_src:
free_buf_chain(dev, req_ctx->src, crypt->src_buf);
-free_buf_dst:
- free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
crypt->ctl_flags = CTL_FLAG_UNUSED;
return -ENOMEM;
}