Thread (9 messages) 9 messages, 6 authors, 2023-08-04

Re: Another regression in the af_alg series (s390x-specific)

From: Bagas Sanjaya <hidden>
Date: 2023-07-14 02:11:27
Also in: linux-crypto, lkml, regressions 

On Thu, Jul 13, 2023 at 10:03:45AM +0200, Ondrej Mosnáček wrote:
Hi,

It turns out that beneath the first bug [1] there was another one
hiding. It seems to happen only on the s390x architecture when running
the following libkcapi [2] reproducer:

kcapi -x 2 -s -c "gcm(aes)" -i 0d92aa861746b324f20ee6b7 \
    -k f4a6a5e5f2066f6dd9ec6fc5169c29043560ef595c9e81e76f42d29212cc581c \
    -a "" -t 5f24c68cbe6f32c29652442bf5d483ad -q ""

Frequently (but not always) it triggers an oops like this one:

[ 3986.766763] Unable to handle kernel pointer dereference in virtual
kernel address space
[ 3986.766774] Failing address: 0000000a00000000 TEID: 0000000a00000803
[ 3986.766776] Fault in home space mode while using kernel ASCE.
[ 3986.766778] AS:00000000a43a0007 R3:0000000000000024
[ 3986.766825] Oops: 003b ilc:2 [#1] SMP
<snip>
[ 3986.766877] CPU: 0 PID: 271064 Comm: kcapi Tainted: G        W
    6.5.0-rc1 #1
[ 3986.767070] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
<snip>
[ 3986.767151] Call Trace:
[ 3986.767153]  [<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390]
[ 3986.767160]  [<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8
[ 3986.767166]  [<00000000a2a60888>] aead_recvmsg+0x478/0x698
[ 3986.767169]  [<00000000a2e519a0>] sock_recvmsg+0x70/0xb0
[ 3986.767175]  [<00000000a2e51a56>] sock_read_iter+0x76/0xa0
[ 3986.767177]  [<00000000a273e066>] vfs_read+0x26e/0x2a8
[ 3986.767182]  [<00000000a273e8c4>] ksys_read+0xbc/0x100
[ 3986.767184]  [<00000000a311d808>] __do_syscall+0x1d0/0x1f8
[ 3986.767189]  [<00000000a312ff30>] system_call+0x70/0x98
[ 3986.767193] Last Breaking-Event-Address:
[ 3986.767193]  [<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]
[ 3986.767198] Kernel panic - not syncing: Fatal exception: panic_on_oops

This time the regression was bisected to:

commit c1abe6f570aff4b6d396dc551e60570d2f50bd79
Author: David Howells [off-list ref]
Date:   Tue Jun 6 14:08:52 2023 +0100

   crypto: af_alg: Use extract_iter_to_sg() to create scatterlists

I can't see what the problem is with the commit, so I'm reporting here
hoping that David or someone else can pick it up from here.
Thanks for the regression report. I'm adding it to regzbot:

#regzbot ^introduced: c1abe6f570aff4b
#regzbot title: kernel pointer dereference regression due to extract_iter_to_sg()

-- 
An old man doll... just what I always wanted! - Clara

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help