Re: race condition in crypto larval handling

2013-09-07 Thread Kees Cook
On Sat, Sep 7, 2013 at 9:54 PM, Herbert Xu wrote: > On Sun, Sep 08, 2013 at 02:37:03PM +1000, Herbert Xu wrote: >> On Sat, Sep 07, 2013 at 08:34:15PM -0700, Kees Cook wrote: >> > >> > However, I noticed on the "good" path (even without the above patch), >> > I sometimes see a double-kfree triggere

Re: race condition in crypto larval handling

2013-09-07 Thread Herbert Xu
On Sun, Sep 08, 2013 at 02:37:03PM +1000, Herbert Xu wrote: > On Sat, Sep 07, 2013 at 08:34:15PM -0700, Kees Cook wrote: > > > > However, I noticed on the "good" path (even without the above patch), > > I sometimes see a double-kfree triggered by the modprobe process. I > > can't, however, see how

Re: race condition in crypto larval handling

2013-09-07 Thread Herbert Xu
On Sat, Sep 07, 2013 at 08:34:15PM -0700, Kees Cook wrote: > > However, I noticed on the "good" path (even without the above patch), > I sometimes see a double-kfree triggered by the modprobe process. I > can't, however, see how that's happening, since larval_destroy should > only be called when re

Re: race condition in crypto larval handling

2013-09-07 Thread Kees Cook
On Sat, Sep 7, 2013 at 6:32 PM, Herbert Xu wrote: > On Fri, Sep 06, 2013 at 04:20:50PM -0700, Kees Cook wrote: >> >> In the two-thread situation, the first thread gets a larval with >> refcnt 2 via crypto_larval_add. (Why 2?) The next thread finds the >> larval via crypto_larval_add's call to __cr

Re: race condition in crypto larval handling

2013-09-07 Thread Herbert Xu
On Fri, Sep 06, 2013 at 04:20:50PM -0700, Kees Cook wrote: > > In the two-thread situation, the first thread gets a larval with > refcnt 2 via crypto_larval_add. (Why 2?) The next thread finds the > larval via crypto_larval_add's call to __crypto_alg_lookup() and sees > the ref bump to 3. While exi

Re: race condition in crypto larval handling

2013-09-07 Thread Kees Cook
On Sat, Sep 7, 2013 at 7:39 AM, Neil Horman wrote: > On Fri, Sep 06, 2013 at 04:20:50PM -0700, Kees Cook wrote: >> Hi, >> >> I've tracked down a race condition and ref counting problem in the >> crypto API internals. We've been seeing it under Chrome OS, but it >> seems it's not isolated to just u

Re: race condition in crypto larval handling

2013-09-07 Thread Neil Horman
On Fri, Sep 06, 2013 at 04:20:50PM -0700, Kees Cook wrote: > Hi, > > I've tracked down a race condition and ref counting problem in the > crypto API internals. We've been seeing it under Chrome OS, but it > seems it's not isolated to just us: > > https://code.google.com/p/chromium/issues/detail?i