Hi!
[ Upstream commit 1339a7c3ba05137a2d2fe75f602311bbfc6fab33 ]
Use the sg count returned by dma_map_sg to call into dmaengine_prep_slave_sg rather than using the original sg count. dma_map_sg can merge consecutive sglist entries, thus making the original sg count wrong. This is a fix for memory coruption issues observed while testing encryption/decryption of large messages using libkcapi framework.
Patch has been tested further by running full suite of tcrypt.ko tests including fuzz tests.
This still needs more work AFAICT.
index a2d3da0ad95f..5a6559131eac 100644 --- a/drivers/crypto/qce/skcipher.c +++ b/drivers/crypto/qce/skcipher.c @@ -122,21 +122,22 @@ qce_skcipher_async_req_handle(struct crypto_async_request *async_req) sg_mark_end(sg); rctx->dst_sg = rctx->dst_tbl.sgl;
ret is == 0 at this point.
- ret = dma_map_sg(qce->dev, rctx->dst_sg, rctx->dst_nents, dir_dst);
- if (ret < 0)
- dst_nents = dma_map_sg(qce->dev, rctx->dst_sg, rctx->dst_nents, dir_dst);
- if (dst_nents < 0) goto error_free;
And we go to the error path, and return ret... instead of returning failure.
if (diff_dst) {
ret = dma_map_sg(qce->dev, req->src, rctx->src_nents, dir_src);if (ret < 0)
src_nents = dma_map_sg(qce->dev, req->src, rctx->src_nents, dir_src);if (src_nents < 0) goto error_unmap_dst;
Same problem happens here.
The problem is already fixed in the mainline; I believe we want that in 5.10-stable at least.
commit a8bc4f5e7a72e4067f5afd7e98b61624231713ca Author: Wei Yongjun weiyongjun1@huawei.com Date: Wed Jun 2 11:36:45 2021 +0000
crypto: qce - fix error return code in qce_skcipher_async_req_handle()
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function.
Fixes: 1339a7c3ba05 ("crypto: qce: skcipher: Fix incorrect sg count for dma transfers") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wei Yongjun weiyongjun1@huawei.com
Best regards, Pavel