• Eric Biggers's avatar
    crypto: ablkcipher - fix crash flushing dcache in error path · b7c2b699
    Eric Biggers authored
    commit 318abdfb upstream.
    
    Like the skcipher_walk and blkcipher_walk cases:
    
    scatterwalk_done() is only meant to be called after a nonzero number of
    bytes have been processed, since scatterwalk_pagedone() will flush the
    dcache of the *previous* page.  But in the error case of
    ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
    blocks, scatterwalk_done() was actually called after advancing 0 bytes.
    This caused a crash ("BUG: unable to handle kernel paging request")
    during '!PageSlab(page)' on architectures like arm and arm64 that define
    ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
    page-aligned as in that case walk->offset == 0.
    
    Fix it by reorganizing ablkcipher_walk_done() to skip the
    scatterwalk_advance() and scatterwalk_done() if an error has occurred.
    Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
    Fixes: bf06099d ("crypto: skcipher - Add ablkcipher_walk interfaces")
    Cc: <stable@vger.kernel.org> # v2.6.35+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b7c2b699
ablkcipher.c 12.9 KB