In function skcipher_recvmsg_async() defined in file crypto/algif_skcipher.c, the if-statement at line 569 checks whether kcalloc() successfully allocates memory. After the error check at line 548, the value of variable err must be 0. As a result, it may return 0 (indicates that no error occurs) even when there is no enough memory. Though this error may occur rarely, I think it's better to return a correct error code (e.g. -ENOMEM) when the call to kcalloc() fails. Codes related to this bug are summarised as follows. skcipher_recvmsg_async @@ crypto/algif_skcipher.c 499 static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, 500 int flags) 501 { ... 517 int err = -ENOMEM; ... 542 while (iov_iter_count(&msg->msg_iter)) { 543 struct skcipher_async_rsgl *rsgl; 544 int used; 545 546 if (!ctx->used) { 547 err = skcipher_wait_for_data(sk, flags); 548 if (err) 549 goto free; 550 } ... 562 if (txbufs == tx_nents) { 563 struct scatterlist *tmp; 564 int x; 565 /* Ran out of tx slots in async request 566 * need to expand */ 567 tmp = kcalloc(tx_nents * 2, sizeof(*tmp), 568 GFP_KERNEL); 569 if (!tmp) // Bug: the value of err may be 0 570 goto free; ... 625 free: 626 skcipher_free_async_sgls(sreq); 627 unlock: 628 skcipher_wmem_wakeup(sk); 629 release_sock(sk); 630 kzfree(sreq); 631 out: 632 return err; 633 } Thanks very much!
Created attachment 256371 [details] A patch to fix the bug The patch has been merged into the newest kernel. So I will close it.