Re: [BUGFIX for .32] crypto, gcm, fix another complete call incomplete fuction

[Huang Ying]

On Tue, 2009-11-03 at 23:53 +0800, Herbert Xu wrote: 
> On Tue, Nov 03, 2009 at 10:40:17AM +0800, Huang Ying wrote:
> > The flow of the complete function (xxx_done) in gcm.c is as follow:
> > 
> > void complete(struct crypto_async_request *areq, int err)
> > {
> > 	if (!err) {
> > 		err = async_next_step();
> > 		if (err == -EINPROGRESS || err == -EBUSY)
> > 			return;
> > 	}
> > 
> > 	complete_for_next_step(areq, err);
> > }
> > 
> > But *areq may be destroyed in async_next_step(), this makes
> > complete_for_next_step() can not work properly. To fix this, one of
> > following methods is used for each complete function.
> 
> So why is async_next_step destroying areq? Can you give me a
> concrete example?

I have seen one example, in gcm_encrypt_done, which is called when
encryption phase finished in asynchronous mode. The areq passed in may
be in the context of pctx->u.abreq (due to cryptd etc). Then hash phase
begin, and ghash is called, which operates on pctx->u.ahreq (share same
memory of pctx->u.abreq) and its context. Now, *areq may be destroyed.

To avoid similar issue in the future, I add protective processing in
every xxx_done function. Let complete_for_next_step() uses areq setup
for async_next_step().

Best Regards,
Huang Ying

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/