When a AF_ALG fd is accepted a second time (hence hash_accept() is
used), hash_accept_parent() allocates a new private context using
sock_kmalloc(). This context is uninitialised. After use of the new
fd, we eventually end up with the kernel complaining:
marvell-cesa
f1090000.crypto: dma_pool_free cesa_padding,
c0627770/0 (bad dma)
where
c0627770 is a random address. Poisoning the memory allocated by
the above sock_kmalloc() produces kernel oopses within the marvell hash
code, particularly the interrupt handling.
The following simplfied call sequence occurs:
hash_accept()
crypto_ahash_export()
marvell hash export function
af_alg_accept()
hash_accept_parent() <== allocates uninitialised struct hash_ctx
crypto_ahash_import()
marvell hash import function
hash_ctx contains the struct mv_cesa_ahash_req in its req.__ctx member,
and, as the marvell hash import function only partially initialises
this structure, we end up with a lot of members which are left with
whatever data was in memory prior to sock_kmalloc().
Add zero-initialisation of this structure.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Boris Brezillon <boris.brezillon@free-electronc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
unsigned int cache_ptr;
int ret;
+ ret = crypto_ahash_init(req);
+ if (ret)
+ return ret;
+
creq->len = in_state->byte_count;
memcpy(creq->state, in_state->hash, digsize);
creq->cache_ptr = 0;
unsigned int cache_ptr;
int ret;
+ ret = crypto_ahash_init(req);
+ if (ret)
+ return ret;
+
creq->len = in_state->count;
memcpy(creq->state, in_state->state, digsize);
creq->cache_ptr = 0;
unsigned int cache_ptr;
int ret;
+ ret = crypto_ahash_init(req);
+ if (ret)
+ return ret;
+
creq->len = in_state->count;
memcpy(creq->state, in_state->state, digsize);
creq->cache_ptr = 0;