Hello Jonathan Cameron,
The patch 915e4e8413da: "crypto: hisilicon - SEC security accelerator
driver" from Jul 23, 2018, leads to the following static checker
warning:
drivers/crypto/hisilicon/sec/sec_algs.c:865 sec_alg_skcipher_crypto()
error: double free of 'split_sizes'
drivers/crypto/hisilicon/sec/sec_algs.c
808
809 /* Cleanup - all elements in pointer arrays have been coppied */
810 kfree(splits_in_nents);
811 kfree(splits_in);
812 kfree(splits_out_nents);
813 kfree(splits_out);
814 kfree(split_sizes);
^^^^^^^^^^^
Free
815
816 /* Grab a big lock for a long time to avoid concurrency issues
*/
817 mutex_lock(&queue->queuelock);
818
819 /*
820 * Can go on to queue if we have space in either:
821 * 1) The hardware queue and no software queue
822 * 2) The software queue
823 * AND there is nothing in the backlog. If there is backlog we
824 * have to only queue to the backlog queue and return busy.
825 */
826 if ((!sec_queue_can_enqueue(queue, steps) &&
827 (!queue->havesoftqueue ||
828 kfifo_avail(&queue->softqueue) > steps)) ||
829 !list_empty(&ctx->backlog)) {
830 if ((skreq->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)) {
831 list_add_tail(&sec_req->backlog_head,
&ctx->backlog);
832 mutex_unlock(&queue->queuelock);
833 return -EBUSY;
834 }
835
836 ret = -EBUSY;
837 mutex_unlock(&queue->queuelock);
838 goto err_free_elements;
^^^^^^^^^^^^^^^^^^^^^^
839 }
840 ret = sec_send_request(sec_req, queue);
841 mutex_unlock(&queue->queuelock);
842 if (ret)
843 goto err_free_elements;
^^^^^^^^^^^^^^^^^^^^^^
844
845 return -EINPROGRESS;
846
847 err_free_elements:
848 list_for_each_entry_safe(el, temp, &sec_req->elements, head) {
849 list_del(&el->head);
850 sec_alg_free_el(el, info);
851 }
852 if (crypto_skcipher_ivsize(atfm))
853 dma_unmap_single(info->dev, sec_req->dma_iv,
854 crypto_skcipher_ivsize(atfm),
855 DMA_BIDIRECTIONAL);
856 err_unmap_out_sg:
857 if (skreq->src != skreq->dst)
858 sec_unmap_sg_on_err(skreq->dst, steps, splits_out,
859 splits_out_nents, sec_req->len_out,
860 info->dev);
861 err_unmap_in_sg:
862 sec_unmap_sg_on_err(skreq->src, steps, splits_in,
splits_in_nents,
863 sec_req->len_in, info->dev);
864 err_free_split_sizes:
865 kfree(split_sizes);
^^^^^^^^^^^^^^^^^^^
Double free.
866
867 return ret;
868 }
regards,
dan carpenter
