tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

s390/zcrypt: Fix memory leak with CCA cards used as accelerator

Tests showed that there is a memory leak if CCA cards are used as
accelerator for clear key RSA requests (ME and CRT). With the last
rework for the memory allocation the AP messages are allocated by
ap_init_apmsg() but for some reason on two places (ME and CRT) the
older allocation was still in place. So the first allocation simple
was never freed.

Fixes: 57db62a130ce ("s390/ap/zcrypt: Rework AP message buffer allocation")
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/linux-s390/CAHj4cs9H67Uz0iVaRQv447p7JFPRPy3TKAT4=Y6_e=wSHCZM5w@mail.gmail.com/
Reported-by: Nadja Hariz <Nadia.Hariz@ibm.com>
Cc: stable@vger.kernel.org
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

authored by

Harald Freudenberger and committed by
Vasily Gorbik c8d46f17 57ad0d4a

+14 -18
+14 -18
drivers/s390/crypto/zcrypt_msgtype6.c
··· 953 953 /* 954 954 * The request distributor calls this function if it picked the CEXxC 955 955 * device to handle a modexpo request. 956 + * This function assumes that ap_msg has been initialized with 957 + * ap_init_apmsg() and thus a valid buffer with the size of 958 + * ap_msg->bufsize is available within ap_msg. Also the caller has 959 + * to make sure ap_release_apmsg() is always called even on failure. 956 960 * @zq: pointer to zcrypt_queue structure that identifies the 957 961 * CEXxC device to the request distributor 958 962 * @mex: pointer to the modexpo request buffer ··· 968 964 struct ap_response_type *resp_type = &ap_msg->response; 969 965 int rc; 970 966 971 - ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); 972 - if (!ap_msg->msg) 973 - return -ENOMEM; 974 - ap_msg->bufsize = PAGE_SIZE; 975 967 ap_msg->receive = zcrypt_msgtype6_receive; 976 968 ap_msg->psmid = (((unsigned long)current->pid) << 32) + 977 969 atomic_inc_return(&zcrypt_step); 978 970 rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex); 979 971 if (rc) 980 - goto out_free; 972 + goto out; 981 973 resp_type->type = CEXXC_RESPONSE_TYPE_ICA; 982 974 init_completion(&resp_type->work); 983 975 rc = ap_queue_message(zq->queue, ap_msg); 984 976 if (rc) 985 - goto out_free; 977 + goto out; 986 978 rc = wait_for_completion_interruptible(&resp_type->work); 987 979 if (rc == 0) { 988 980 rc = ap_msg->rc; ··· 991 991 ap_cancel_message(zq->queue, ap_msg); 992 992 } 993 993 994 - out_free: 995 - free_page((unsigned long)ap_msg->msg); 996 - ap_msg->msg = NULL; 994 + out: 997 995 return rc; 998 996 } 999 997 1000 998 /* 1001 999 * The request distributor calls this function if it picked the CEXxC 1002 1000 * device to handle a modexpo_crt request. 1001 + * This function assumes that ap_msg has been initialized with 1002 + * ap_init_apmsg() and thus a valid buffer with the size of 1003 + * ap_msg->bufsize is available within ap_msg. Also the caller has 1004 + * to make sure ap_release_apmsg() is always called even on failure. 1003 1005 * @zq: pointer to zcrypt_queue structure that identifies the 1004 1006 * CEXxC device to the request distributor 1005 1007 * @crt: pointer to the modexpoc_crt request buffer ··· 1013 1011 struct ap_response_type *resp_type = &ap_msg->response; 1014 1012 int rc; 1015 1013 1016 - ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); 1017 - if (!ap_msg->msg) 1018 - return -ENOMEM; 1019 - ap_msg->bufsize = PAGE_SIZE; 1020 1014 ap_msg->receive = zcrypt_msgtype6_receive; 1021 1015 ap_msg->psmid = (((unsigned long)current->pid) << 32) + 1022 1016 atomic_inc_return(&zcrypt_step); 1023 1017 rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt); 1024 1018 if (rc) 1025 - goto out_free; 1019 + goto out; 1026 1020 resp_type->type = CEXXC_RESPONSE_TYPE_ICA; 1027 1021 init_completion(&resp_type->work); 1028 1022 rc = ap_queue_message(zq->queue, ap_msg); 1029 1023 if (rc) 1030 - goto out_free; 1024 + goto out; 1031 1025 rc = wait_for_completion_interruptible(&resp_type->work); 1032 1026 if (rc == 0) { 1033 1027 rc = ap_msg->rc; ··· 1036 1038 ap_cancel_message(zq->queue, ap_msg); 1037 1039 } 1038 1040 1039 - out_free: 1040 - free_page((unsigned long)ap_msg->msg); 1041 - ap_msg->msg = NULL; 1041 + out: 1042 1042 return rc; 1043 1043 } 1044 1044