lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <aB864l2mx4ZChZBE@gondor.apana.org.au> Date: Sat, 10 May 2025 19:39:14 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Corentin Labbe <clabbe.montjoie@...il.com> Cc: Klaus Kudielka <klaus.kudielka@...il.com>, regressions@...ts.linux.dev, linux-kernel@...r.kernel.org, Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, Boris Brezillon <bbrezillon@...nel.org>, EBALARD Arnaud <Arnaud.Ebalard@....gouv.fr>, Romain Perier <romain.perier@...il.com> Subject: Re: [PATCH] crypto: marvell/cesa - Avoid empty transfer descriptor On Sat, May 10, 2025 at 01:14:22PM +0200, Corentin Labbe wrote: > > This is the git diff result to be sure I didnt miss a patch: http://kernel.montjoie.ovh/cesa.debug.diff Thanks! I think we have a smoking gun: [ 45.700298] mv_cesa_dma_step: 1 0xc7011440 0x9256040 "0x9256020" [ 45.706141] mv_cesa_ahash_req_cleanup: 0 0xc93b9c00 [ 45.711996] mv_cesa_int: 1 0x4ea1 0x80 [ 45.716875] mv_cesa_int: 0 0x4ea1 0x80 [ 45.720627] mv_cesa_tdma_process: 1 "0x9256020" [ 45.724380] mv_cesa_tdma_process: 0 0x9256140 [ 45.728757] mv_cesa_ahash_complete: 1 0xc7011400 [ 45.733112] mv_cesa_ahash_complete: 0 0xc7011200 [ 45.737741] mv_cesa_tdma_process: 1 0 0xc7011400 [ 45.742364] mv_cesa_tdma_process: 0 0 0xc7011200 [ 45.746994] mv_cesa_ahash_req_cleanup: 1 0xc7011400 [ 45.751614] mv_cesa_ahash_req_cleanup: 0 0xc7011200 [ 45.756635] mv_cesa_ahash_queue_req: 0 0xc93b9c00 [ 45.766104] mv_cesa_dma_step: 0 0xc93b9c40 "0x9256020" 0x9256000 [ 45.771972] alg: ahash: mv-sha1 test failed (wrong result) on test vector 3, cfg="init+update+update+final two even splits" The descriptor 0x9256020 was just freed by engine 1, and it's still the current pointer of engine 1. It was then immediately reused by engine 0 starting a new chain. It's conceivable that engine 1 then somehow starts executing on it at the same time. Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists