From 658c9d2b9f374c835d0348d852a3f002196628d0 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Thu, 19 Apr 2018 18:41:57 +0200 Subject: [PATCH] crypto: crypto4xx - put temporary dst sg into request ctx This patch fixes a crash that happens when testing rfc4543(gcm(aes)) Unable to handle kernel paging request for data at address 0xf59b3420 Faulting instruction address: 0xc0012994 Oops: Kernel access of bad area, sig: 11 [#1] BE PowerPC 44x Platform Modules linked in: tcrypt(+) crypto4xx [...] CPU: 0 PID: 0 Comm: swapper Tainted: G O 4.17.0-rc1+ #23 NIP: c0012994 LR: d3077934 CTR: 06026d49 REGS: cfff7e30 TRAP: 0300 Tainted: G O (4.17.0-rc1+) MSR: 00029000 CR: 44744822 XER: 00000000 DEAR: f59b3420 ESR: 00000000 NIP [c0012994] __dma_sync+0x58/0x10c LR [d3077934] crypto4xx_bh_tasklet_cb+0x188/0x3c8 [crypto4xx] __dma_sync was fed the temporary _dst that crypto4xx_build_pd() had in it's function stack. This clearly never worked. This patch therefore overhauls the code from the original driver and puts the temporary dst sg list into aead's request context. Fixes: a0aae821ba3d3 ("crypto: crypto4xx - prepare for AEAD support") Signed-off-by: Christian Lamparter Signed-off-by: Herbert Xu --- drivers/crypto/amcc/crypto4xx_alg.c | 15 ++++++++------- drivers/crypto/amcc/crypto4xx_core.c | 10 +++++----- drivers/crypto/amcc/crypto4xx_core.h | 7 ++++++- 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c index c952bcfdd6ae..f5c07498ea4f 100644 --- a/drivers/crypto/amcc/crypto4xx_alg.c +++ b/drivers/crypto/amcc/crypto4xx_alg.c @@ -87,7 +87,7 @@ static inline int crypto4xx_crypt(struct skcipher_request *req, return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst, req->cryptlen, iv, ivlen, decrypt ? ctx->sa_in : ctx->sa_out, - ctx->sa_len, 0); + ctx->sa_len, 0, NULL); } int crypto4xx_encrypt_noiv(struct skcipher_request *req) @@ -223,7 +223,7 @@ int crypto4xx_rfc3686_encrypt(struct skcipher_request *req) return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst, req->cryptlen, iv, AES_IV_SIZE, - ctx->sa_out, ctx->sa_len, 0); + ctx->sa_out, ctx->sa_len, 0, NULL); } int crypto4xx_rfc3686_decrypt(struct skcipher_request *req) @@ -238,7 +238,7 @@ int crypto4xx_rfc3686_decrypt(struct skcipher_request *req) return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst, req->cryptlen, iv, AES_IV_SIZE, - ctx->sa_out, ctx->sa_len, 0); + ctx->sa_out, ctx->sa_len, 0, NULL); } static int @@ -449,6 +449,7 @@ int crypto4xx_setkey_aes_ccm(struct crypto_aead *cipher, const u8 *key, static int crypto4xx_crypt_aes_ccm(struct aead_request *req, bool decrypt) { struct crypto4xx_ctx *ctx = crypto_tfm_ctx(req->base.tfm); + struct crypto4xx_aead_reqctx *rctx = aead_request_ctx(req); struct crypto_aead *aead = crypto_aead_reqtfm(req); __le32 iv[16]; u32 tmp_sa[SA_AES128_CCM_LEN + 4]; @@ -474,7 +475,7 @@ static int crypto4xx_crypt_aes_ccm(struct aead_request *req, bool decrypt) return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst, len, iv, sizeof(iv), - sa, ctx->sa_len, req->assoclen); + sa, ctx->sa_len, req->assoclen, rctx->dst); } int crypto4xx_encrypt_aes_ccm(struct aead_request *req) @@ -622,7 +623,7 @@ static inline int crypto4xx_crypt_aes_gcm(struct aead_request *req, return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst, len, iv, sizeof(iv), decrypt ? ctx->sa_in : ctx->sa_out, - ctx->sa_len, req->assoclen); + ctx->sa_len, req->assoclen, rctx->dst); } int crypto4xx_encrypt_aes_gcm(struct aead_request *req) @@ -707,7 +708,7 @@ int crypto4xx_hash_update(struct ahash_request *req) return crypto4xx_build_pd(&req->base, ctx, req->src, &dst, req->nbytes, NULL, 0, ctx->sa_in, - ctx->sa_len, 0); + ctx->sa_len, 0, NULL); } int crypto4xx_hash_final(struct ahash_request *req) @@ -726,7 +727,7 @@ int crypto4xx_hash_digest(struct ahash_request *req) return crypto4xx_build_pd(&req->base, ctx, req->src, &dst, req->nbytes, NULL, 0, ctx->sa_in, - ctx->sa_len, 0); + ctx->sa_len, 0, NULL); } /** diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c index 605398c89ccd..9cb234c72549 100644 --- a/drivers/crypto/amcc/crypto4xx_core.c +++ b/drivers/crypto/amcc/crypto4xx_core.c @@ -695,9 +695,9 @@ int crypto4xx_build_pd(struct crypto_async_request *req, const __le32 *iv, const u32 iv_len, const struct dynamic_sa_ctl *req_sa, const unsigned int sa_len, - const unsigned int assoclen) + const unsigned int assoclen, + struct scatterlist *_dst) { - struct scatterlist _dst[2]; struct crypto4xx_device *dev = ctx->dev; struct dynamic_sa_ctl *sa; struct ce_gd *gd; @@ -996,9 +996,9 @@ static int crypto4xx_aead_init(struct crypto_aead *tfm) amcc_alg = container_of(alg, struct crypto4xx_alg, alg.u.aead); crypto4xx_ctx_init(amcc_alg, ctx); - crypto_aead_set_reqsize(tfm, sizeof(struct aead_request) + - max(sizeof(struct crypto4xx_ctx), 32 + - crypto_aead_reqsize(ctx->sw_cipher.aead))); + crypto_aead_set_reqsize(tfm, max(sizeof(struct aead_request) + 32 + + crypto_aead_reqsize(ctx->sw_cipher.aead), + sizeof(struct crypto4xx_aead_reqctx))); return 0; } diff --git a/drivers/crypto/amcc/crypto4xx_core.h b/drivers/crypto/amcc/crypto4xx_core.h index 279f650c4f1c..e2ca56722f07 100644 --- a/drivers/crypto/amcc/crypto4xx_core.h +++ b/drivers/crypto/amcc/crypto4xx_core.h @@ -133,6 +133,10 @@ struct crypto4xx_ctx { } sw_cipher; }; +struct crypto4xx_aead_reqctx { + struct scatterlist dst[2]; +}; + struct crypto4xx_alg_common { u32 type; union { @@ -159,7 +163,8 @@ int crypto4xx_build_pd(struct crypto_async_request *req, const __le32 *iv, const u32 iv_len, const struct dynamic_sa_ctl *sa, const unsigned int sa_len, - const unsigned int assoclen); + const unsigned int assoclen, + struct scatterlist *dst_tmp); int crypto4xx_setkey_aes_cbc(struct crypto_skcipher *cipher, const u8 *key, unsigned int keylen); int crypto4xx_setkey_aes_cfb(struct crypto_skcipher *cipher,