From 3a4b8e48ef2490ce0fc8ec656606bc31cd7da854 Mon Sep 17 00:00:00 2001
From: Hao Fang <fanghao11@huawei.com>
Date: Mon, 13 May 2019 11:47:47 +0800
Subject: [PATCH] crypto/hisilicon/qm: bugfix for double free calltrace

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

estuary:/$ insmod hisi_zip.ko
[ 1436.297302] ==================================================================
[ 1436.304520] BUG: KASAN: double-free or invalid-free in __hisi_qm_start+0x4ac/0x7d0 [qm]
[ 1436.312509]
[ 1436.313991] CPU: 0 PID: 527 Comm: kworker/0:2 Tainted: G    B      O      5.1.0-rc1-g188066de-dirty #1
[ 1436.323283] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.20.01 04/19/2019
[ 1436.332580] Workqueue: events work_for_cpu_fn
[ 1436.336925] Call trace:
[ 1436.339361]  dump_backtrace+0x0/0x1f8
[ 1436.343011]  show_stack+0x14/0x20
[ 1436.346315]  dump_stack+0xc4/0xfc
[ 1436.349620]  print_address_description+0x60/0x270
[ 1436.354312]  kasan_report_invalid_free+0x7c/0xb8
[ 1436.358916]  __kasan_slab_free+0x1d0/0x220
[ 1436.363000]  kasan_slab_free+0x10/0x18
[ 1436.366736]  kfree+0x78/0x2b0
[ 1436.369694]  __hisi_qm_start+0x4ac/0x7d0 [qm]
[ 1436.374041]  hisi_qm_start+0xd8/0x278 [qm]
[ 1436.378129]  hisi_zip_probe+0x2a4/0x718 [hisi_zip]
[ 1436.382909]  local_pci_probe+0x74/0xf0
[ 1436.386645]  work_for_cpu_fn+0x2c/0x48
[ 1436.390382]  process_one_work+0x3c0/0x878
[ 1436.394380]  worker_thread+0x400/0x670
[ 1436.398115]  kthread+0x1b0/0x1b8
[ 1436.401331]  ret_from_fork+0x10/0x1c
[ 1436.404892]
[ 1436.406371] Allocated by task 527:
[ 1436.409762]  __kasan_kmalloc.isra.0+0xd4/0x188
[ 1436.414193]  kasan_kmalloc+0xc/0x18
[ 1436.417669]  kmem_cache_alloc_trace+0x158/0x2c0
[ 1436.422190]  __hisi_qm_start+0x1c8/0x7d0 [qm]
[ 1436.426537]  hisi_qm_start+0xd8/0x278 [qm]
[ 1436.430624]  hisi_zip_probe+0x2a4/0x718 [hisi_zip]
[ 1436.435402]  local_pci_probe+0x74/0xf0
[ 1436.439138]  work_for_cpu_fn+0x2c/0x48
[ 1436.442874]  process_one_work+0x3c0/0x878
[ 1436.446871]  worker_thread+0x400/0x670
[ 1436.450607]  kthread+0x1b0/0x1b8
[ 1436.453822]  ret_from_fork+0x10/0x1c
[ 1436.457383]
[ 1436.458862] Freed by task 527:
[ 1436.461903]  __kasan_slab_free+0x114/0x220
[ 1436.465987]  kasan_slab_free+0x10/0x18
[ 1436.469723]  kfree+0x78/0x2b0
[ 1436.472681]  __hisi_qm_start+0x3b8/0x7d0 [qm]
[ 1436.477028]  hisi_qm_start+0xd8/0x278 [qm]
[ 1436.481114]  hisi_zip_probe+0x2a4/0x718 [hisi_zip]
[ 1436.485892]  local_pci_probe+0x74/0xf0
[ 1436.489628]  work_for_cpu_fn+0x2c/0x48
[ 1436.493365]  process_one_work+0x3c0/0x878
[ 1436.497361]  worker_thread+0x400/0x670
[ 1436.501097]  kthread+0x1b0/0x1b8
[ 1436.504312]  ret_from_fork+0x10/0x1c
[ 1436.507873]
[ 1436.509352] The buggy address belongs to the object at ffffc38eb9d1fc00
[ 1436.509352]  which belongs to the cache kmalloc-128 of size 128
[ 1436.521856] The buggy address is located 0 bytes inside of
[ 1436.521856]  128-byte region [ffffc38eb9d1fc00, ffffc38eb9d1fc80)
[ 1436.533404] The buggy address belongs to the page:
[ 1436.538183] page:ffff7f0e3ae74700 count:1 mapcount:0 mapping:ffffc38ecec17c00 index:0x0 compound_mapcount: 0
[ 1436.547996] flags: 0x1fffe00000010200(slab|head)
[ 1436.552603] raw: 1fffe00000010200 dead000000000100 dead000000000200 ffffc38ecec17c00
[ 1436.560332] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 1436.568060] page dumped because: kasan: bad access detected
[ 1436.573618]
[ 1436.575096] Memory state around the buggy address:
[ 1436.579874]  ffffc38eb9d1fb00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1436.587082]  ffffc38eb9d1fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1436.594291] >ffffc38eb9d1fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1436.601498]                    ^
[ 1436.604713]  ffffc38eb9d1fc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1436.611921]  ffffc38eb9d1fd00: 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc fc
[ 1436.619128] ==================================================================
[ 1436.627274] ==================================================================

Feature or Bugfix:Bugfix

Signed-off-by: Hao Fang <fanghao11@huawei.com>
Reviewed-by: huangdaode <huangdaode@hisilicon.com>
Signed-off-by: lingmingqiang <lingmingqiang@huawei.com>
Reviewed-by: hucheng.hu <hucheng.hu@huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/crypto/hisilicon/qm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index ab00eec66943..4a3c54950559 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -1931,7 +1931,7 @@ static int qm_eq_ctx_cfg(struct hisi_qm *qm)
 	if (qm->use_dma_api) {
 		dma_unmap_single(dev, aeqc_dma, sizeof(struct qm_aeqc),
 				 DMA_TO_DEVICE);
-		kfree(eqc);
+		kfree(aeqc);
 	} else {
 		memset(aeqc, 0, sizeof(struct qm_aeqc));
 	}
-- 
GitLab