| Message ID | 20210726152724.2281408-1-mudongliangabcd@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | crypto: sun8i-ce: fix multiple memory leaks in sun8i_ce_hash_run | expand |
Le Mon, Jul 26, 2021 at 11:27:12PM +0800, Dongliang Mu a écrit : > In sun8i_ce_hash_run, all the dma_mmap_sg/single will cause memory leak > due to no corresponding unmap operation if errors happen. > > Fix this by adding error handling part for all the dma_mmap_sg/single. > I think it could be better worded, error handling is already there (but bad). > Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > --- > .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 28 +++++++++---------- > 1 file changed, 13 insertions(+), 15 deletions(-) > > diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > index 88194718a806..d454ad99deee 100644 > --- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > +++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > @@ -286,16 +286,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > /* the padding could be up to two block. */ > buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA); > - if (!buf) { > - err = -ENOMEM; > - goto theend; Please keep all goto error for being consistent. > - } > + if (!buf) > + return -ENOMEM; > bf = (__le32 *)buf; > > result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA); > if (!result) { > - err = -ENOMEM; > - goto theend; > + kfree(buf); > + return -ENOMEM; > } > > flow = rctx->flow; > @@ -321,7 +319,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > if (nr_sgs <= 0 || nr_sgs > MAX_SG) { > dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs); > err = -EINVAL; > - goto theend; > + goto err_result; > } > > len = areq->nbytes; > @@ -334,7 +332,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > if (len > 0) { > dev_err(ce->dev, "remaining len %d\n", len); > err = -EINVAL; > - goto theend; > + goto err_unmap_sg; > } > addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE); > cet->t_dst[0].addr = cpu_to_le32(addr_res); > @@ -342,7 +340,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > if (dma_mapping_error(ce->dev, addr_res)) { > dev_err(ce->dev, "DMA map dest\n"); > err = -EINVAL; > - goto theend; > + goto err_unmap_sg; > } > > byte_count = areq->nbytes; > @@ -392,7 +390,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > if (dma_mapping_error(ce->dev, addr_pad)) { > dev_err(ce->dev, "DMA error on padding SG\n"); > err = -EINVAL; > - goto theend; > + goto err_addr_res; > } > > if (ce->variant->hash_t_dlen_in_bits) > @@ -405,15 +403,15 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(areq->base.tfm)); > > dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE); > +err_addr_res: > + dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > +err_unmap_sg: > dma_unmap_sg(ce->dev, areq->src, sg_nents(areq->src), > DMA_TO_DEVICE); > - dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > - > - > memcpy(areq->result, result, algt->alg.hash.halg.digestsize); The result should be copied only when everything is ok. Please add a "if (!err)" Thanks for your work Regards
On Tue, Aug 3, 2021 at 2:25 AM Corentin Labbe <clabbe.montjoie@gmail.com> wrote: > > Le Mon, Jul 26, 2021 at 11:27:12PM +0800, Dongliang Mu a écrit : > > In sun8i_ce_hash_run, all the dma_mmap_sg/single will cause memory leak > > due to no corresponding unmap operation if errors happen. > > > > Fix this by adding error handling part for all the dma_mmap_sg/single. > > > > I think it could be better worded, error handling is already there (but bad). Sure. How about "Fix this by freeing the objects allocated by dma_mmap_sg/single when errors occur."? > > > Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > --- > > .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 28 +++++++++---------- > > 1 file changed, 13 insertions(+), 15 deletions(-) > > > > diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > index 88194718a806..d454ad99deee 100644 > > --- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > +++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > @@ -286,16 +286,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > > /* the padding could be up to two block. */ > > buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA); > > - if (!buf) { > > - err = -ENOMEM; > > - goto theend; > > Please keep all goto error for being consistent. OK, no problem. BTW, usually for the 1st malloc failure, I prefer returning with errno directly. > > > - } > > + if (!buf) > > + return -ENOMEM; > > bf = (__le32 *)buf; > > > > result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA); > > if (!result) { > > - err = -ENOMEM; > > - goto theend; > > + kfree(buf); > > + return -ENOMEM; > > } > > > > flow = rctx->flow; > > @@ -321,7 +319,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > if (nr_sgs <= 0 || nr_sgs > MAX_SG) { > > dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs); > > err = -EINVAL; > > - goto theend; > > + goto err_result; > > } > > > > len = areq->nbytes; > > @@ -334,7 +332,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > if (len > 0) { > > dev_err(ce->dev, "remaining len %d\n", len); > > err = -EINVAL; > > - goto theend; > > + goto err_unmap_sg; > > } > > addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE); > > cet->t_dst[0].addr = cpu_to_le32(addr_res); > > @@ -342,7 +340,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > if (dma_mapping_error(ce->dev, addr_res)) { > > dev_err(ce->dev, "DMA map dest\n"); > > err = -EINVAL; > > - goto theend; > > + goto err_unmap_sg; > > } > > > > byte_count = areq->nbytes; > > @@ -392,7 +390,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > if (dma_mapping_error(ce->dev, addr_pad)) { > > dev_err(ce->dev, "DMA error on padding SG\n"); > > err = -EINVAL; > > - goto theend; > > + goto err_addr_res; > > } > > > > if (ce->variant->hash_t_dlen_in_bits) > > @@ -405,15 +403,15 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(areq->base.tfm)); > > > > dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE); > > +err_addr_res: > > + dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > > +err_unmap_sg: > > dma_unmap_sg(ce->dev, areq->src, sg_nents(areq->src), > > DMA_TO_DEVICE); > > - dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > > - > > - > > memcpy(areq->result, result, algt->alg.hash.halg.digestsize); > > The result should be copied only when everything is ok. Please add a "if (!err)" Sure. > > Thanks for your work > Regards
On Tue, Aug 3, 2021 at 1:57 PM Dongliang Mu <mudongliangabcd@gmail.com> wrote: > > On Tue, Aug 3, 2021 at 2:25 AM Corentin Labbe <clabbe.montjoie@gmail.com> wrote: > > > > Le Mon, Jul 26, 2021 at 11:27:12PM +0800, Dongliang Mu a écrit : > > > In sun8i_ce_hash_run, all the dma_mmap_sg/single will cause memory leak > > > due to no corresponding unmap operation if errors happen. > > > > > > Fix this by adding error handling part for all the dma_mmap_sg/single. > > > > > > > I think it could be better worded, error handling is already there (but bad). > > Sure. How about "Fix this by freeing the objects allocated by > dma_mmap_sg/single when errors occur."? > > > > > > Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") > > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > > --- > > > .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 28 +++++++++---------- > > > 1 file changed, 13 insertions(+), 15 deletions(-) > > > > > > diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > > index 88194718a806..d454ad99deee 100644 > > > --- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > > +++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c > > > @@ -286,16 +286,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > > > > /* the padding could be up to two block. */ > > > buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA); > > > - if (!buf) { > > > - err = -ENOMEM; > > > - goto theend; > > > > Please keep all goto error for being consistent. > > OK, no problem. > > BTW, usually for the 1st malloc failure, I prefer returning with errno directly. For this case, as crypto_finalize_hash_request must be executed, so directly return is incorrect. I will add a goto label before crypto_finalize_hash_request. > > > > > > - } > > > + if (!buf) > > > + return -ENOMEM; > > > bf = (__le32 *)buf; > > > > > > result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA); > > > if (!result) { > > > - err = -ENOMEM; > > > - goto theend; > > > + kfree(buf); > > > + return -ENOMEM; > > > } > > > > > > flow = rctx->flow; > > > @@ -321,7 +319,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > if (nr_sgs <= 0 || nr_sgs > MAX_SG) { > > > dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs); > > > err = -EINVAL; > > > - goto theend; > > > + goto err_result; > > > } > > > > > > len = areq->nbytes; > > > @@ -334,7 +332,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > if (len > 0) { > > > dev_err(ce->dev, "remaining len %d\n", len); > > > err = -EINVAL; > > > - goto theend; > > > + goto err_unmap_sg; > > > } > > > addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE); > > > cet->t_dst[0].addr = cpu_to_le32(addr_res); > > > @@ -342,7 +340,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > if (dma_mapping_error(ce->dev, addr_res)) { > > > dev_err(ce->dev, "DMA map dest\n"); > > > err = -EINVAL; > > > - goto theend; > > > + goto err_unmap_sg; > > > } > > > > > > byte_count = areq->nbytes; > > > @@ -392,7 +390,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > if (dma_mapping_error(ce->dev, addr_pad)) { > > > dev_err(ce->dev, "DMA error on padding SG\n"); > > > err = -EINVAL; > > > - goto theend; > > > + goto err_addr_res; > > > } > > > > > > if (ce->variant->hash_t_dlen_in_bits) > > > @@ -405,15 +403,15 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) > > > err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(areq->base.tfm)); > > > > > > dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE); > > > +err_addr_res: > > > + dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > > > +err_unmap_sg: > > > dma_unmap_sg(ce->dev, areq->src, sg_nents(areq->src), > > > DMA_TO_DEVICE); > > > - dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); > > > - > > > - > > > memcpy(areq->result, result, algt->alg.hash.halg.digestsize); > > > > The result should be copied only when everything is ok. Please add a "if (!err)" > > Sure. > > > > > Thanks for your work > > Regards
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c index 88194718a806..d454ad99deee 100644 --- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c +++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c @@ -286,16 +286,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) /* the padding could be up to two block. */ buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA); - if (!buf) { - err = -ENOMEM; - goto theend; - } + if (!buf) + return -ENOMEM; bf = (__le32 *)buf; result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA); if (!result) { - err = -ENOMEM; - goto theend; + kfree(buf); + return -ENOMEM; } flow = rctx->flow; @@ -321,7 +319,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) if (nr_sgs <= 0 || nr_sgs > MAX_SG) { dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs); err = -EINVAL; - goto theend; + goto err_result; } len = areq->nbytes; @@ -334,7 +332,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) if (len > 0) { dev_err(ce->dev, "remaining len %d\n", len); err = -EINVAL; - goto theend; + goto err_unmap_sg; } addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE); cet->t_dst[0].addr = cpu_to_le32(addr_res); @@ -342,7 +340,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) if (dma_mapping_error(ce->dev, addr_res)) { dev_err(ce->dev, "DMA map dest\n"); err = -EINVAL; - goto theend; + goto err_unmap_sg; } byte_count = areq->nbytes; @@ -392,7 +390,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) if (dma_mapping_error(ce->dev, addr_pad)) { dev_err(ce->dev, "DMA error on padding SG\n"); err = -EINVAL; - goto theend; + goto err_addr_res; } if (ce->variant->hash_t_dlen_in_bits) @@ -405,15 +403,15 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(areq->base.tfm)); dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE); +err_addr_res: + dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); +err_unmap_sg: dma_unmap_sg(ce->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE); - dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); - - memcpy(areq->result, result, algt->alg.hash.halg.digestsize); -theend: - kfree(buf); +err_result: kfree(result); + kfree(buf); crypto_finalize_hash_request(engine, breq, err); return 0; }
In sun8i_ce_hash_run, all the dma_mmap_sg/single will cause memory leak due to no corresponding unmap operation if errors happen. Fix this by adding error handling part for all the dma_mmap_sg/single. Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> --- .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-)