Re: [Help] Null pointer exception in scatterwalk_start() in kernel-4.9

2018-11-28 Thread Herbert Xu 
On Tue, Nov 20, 2018 at 07:09:53AM +, gongchen (E) wrote:
> Hi Dear Herbert,
> 
> Sorry to bother you , but we’ve met a problem in crypto module, 
> would you please kindly help us look into it ? Thank you very much.
> 
>  In the below function chain, scatterwalk_start() doesn't check 
> the result of sg_next(), so the kernel will crash if sg_next() returns a null 
> pointer, which is our case. (The full stack is at the end of letter)
>  
> blkcipher_walk_done()->scatterwalk_done()->scatterwalk_pagedone()->scatterwalk_start(walk,
>  sg_next(walk->sg));
> 
> Should we add a null-pointer-check in scatterwalk_start()? Or is 
> there any process can ensure that there should be a valid sg pointer if the 
> condition (walk->offset >= walk->sg->offset + walk->sg->length) is true?
>   
> We are really looking forward to your reply, any information will 
> be appreciated , thanks again.

Did you apply the following patch?

commit 0868def3e4100591e7a1fdbf3eed1439cc8f7ca3
Author: Eric Biggers 
Date:   Mon Jul 23 10:54:57 2018 -0700

crypto: blkcipher - fix crash flushing dcache in error path

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[Help] Null pointer exception in scatterwalk_start() in kernel-4.9

2018-11-19 Thread gongchen (E) 
Hi Dear Herbert,

Sorry to bother you , but we’ve met a problem in crypto module, 
would you please kindly help us look into it ? Thank you very much.

 In the below function chain, scatterwalk_start() doesn't check the 
result of sg_next(), so the kernel will crash if sg_next() returns a null 
pointer, which is our case. (The full stack is at the end of letter)
 
blkcipher_walk_done()->scatterwalk_done()->scatterwalk_pagedone()->scatterwalk_start(walk,
 sg_next(walk->sg));

Should we add a null-pointer-check in scatterwalk_start()? Or is 
there any process can ensure that there should be a valid sg pointer if the 
condition (walk->offset >= walk->sg->offset + walk->sg->length) is true?
  
We are really looking forward to your reply, any information will 
be appreciated , thanks again.
  


  Best regards


   Chen Gong


2018.11.20

---
Full Stack:
<1>[395491.178009s][pid:29501,cpu4,Binder:708_A]Unable to handle kernel NULL 
pointer dereference at virtual address 0008
<1>[395491.178039s][pid:29501,cpu4,Binder:708_A]pgd = ffc112c27000
<1>[395491.178039s][pid:29501,cpu4,Binder:708_A][0008] 
*pgd=, *pud=
<0>[395491.178070s][pid:29501,cpu4,Binder:708_A]Internal error: Oops: 9605 
[#1] PREEMPT SMP
<4>[395491.178070s][pid:29501,cpu4,Binder:708_A]Modules linked in: hisi_dummy_ko
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]CPU: 4 PID: 29501 Comm: 
Binder:708_A VIP: 00 Tainted: GW   4.9.111 #1
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]TGID: 708 Comm: Binder:708_2
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]Hardware name: hi3660 (DT)
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]task: ffc1d43ec880 
task.stack: ffc3007e
<4>[395491.178100s][pid:29501,cpu4,Binder:708_A]PC is at 
blkcipher_walk_done+0x210/0x354
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]LR is at 
blkcipher_walk_done+0x20c/0x354
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]pc : [] lr : 
[] pstate: 6145
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]sp : ffc3007e3950
<4>[395491.178131s][pid:29501,cpu4,Binder:708_A]x29: ffc3007e3950 x28: 
 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x27: ffc1c6ef501e x26: 
0100 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x25: ffc3007e3b40 x24: 
ffc3007e3be8 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x23: 0001 x22: 
0500 
<4>[395491.178161s][pid:29501,cpu4,Binder:708_A]x21: ffc3007e3a90 x20: 
ffc3007e3a10 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x19: ffc3007e39d8 x18: 
0001 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x17: 0075aca06934 x16: 
ff9c1b032d10 
<4>[395491.178192s][pid:29501,cpu4,Binder:708_A]x15: 0075aaffe5b8 x14: 
 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x13: 0075ac08642d x12: 
0001 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x11:  x10: 
ffc3175e1680 
<4>[395491.178222s][pid:29501,cpu4,Binder:708_A]x9 : ff9c1d408000 x8 : 
 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x7 : ff9c1c28 x6 : 
0001 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x5 : ffc3007e3be8 x4 : 
 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x3 : 0100 x2 : 
0500 
<4>[395491.178253s][pid:29501,cpu4,Binder:708_A]x1 : ffc31aa934c2 x0 : 
 
<4>[395491.180725s][pid:29501,cpu4,Binder:708_A][] 
blkcipher_walk_done+0x210/0x354
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][] 
cbc_decrypt+0xa0/0xe8
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][] 
ablk_decrypt+0x78/0xf4
<4>[395491.180755s][pid:29501,cpu4,Binder:708_A][] 
skcipher_decrypt_ablkcipher+0x70/0x80
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][] 
crypto_cts_decrypt+0xf0/0x184
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][] 
fname_decrypt.isra.1+0x110/0x1d8
<4>[395491.180786s][pid:29501,cpu4,Binder:708_A][] 
fscrypt_fname_disk_to_usr+0x1d8/0x264
<4>[395491.180816s][pid:29501,cpu4,Binder:708_A][] 
f2fs_fill_dentries+0x13c/0x1d4
<4>[395491.180816s][pid: