From patchwork Tue May 26 18:06:35 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Lendacky X-Patchwork-Id: 6484981 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9F0F3C0020 for ; Tue, 26 May 2015 18:40:31 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A8D5220664 for ; Tue, 26 May 2015 18:40:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6C5AD20253 for ; Tue, 26 May 2015 18:40:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751099AbbEZSk2 (ORCPT ); Tue, 26 May 2015 14:40:28 -0400 Received: from mail-by2on0111.outbound.protection.outlook.com ([207.46.100.111]:44640 "EHLO na01-by2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750835AbbEZSk2 (ORCPT ); Tue, 26 May 2015 14:40:28 -0400 X-Greylist: delayed 1106 seconds by postgrey-1.27 at vger.kernel.org; Tue, 26 May 2015 14:40:27 EDT Received: from BY2PR02CA0109.namprd02.prod.outlook.com (25.163.44.163) by BLUPR02MB1108.namprd02.prod.outlook.com (25.163.79.146) with Microsoft SMTP Server (TLS) id 15.1.172.22; Tue, 26 May 2015 18:06:39 +0000 Received: from BN1AFFO11FD052.protection.gbl (2a01:111:f400:7c10::161) by BY2PR02CA0109.outlook.office365.com (2a01:111:e400:5261::35) with Microsoft SMTP Server (TLS) id 15.1.172.22 via Frontend Transport; Tue, 26 May 2015 18:06:39 +0000 Authentication-Results: spf=none (sender IP is 165.204.84.222) smtp.mailfrom=amd.com; davemloft.net; dkim=none (message not signed) header.d=none; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) Received: from atltwp02.amd.com (165.204.84.222) by BN1AFFO11FD052.mail.protection.outlook.com (10.58.53.67) with Microsoft SMTP Server id 15.1.172.14 via Frontend Transport; Tue, 26 May 2015 18:06:37 +0000 X-WSS-ID: 0NOYYAX-08-DHQ-02 X-M-MSG: Received: from satlvexedge02.amd.com (satlvexedge02.amd.com [10.177.96.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by atltwp02.amd.com (Axway MailGate 5.3.1) with ESMTPS id 28542D16043; Tue, 26 May 2015 14:06:33 -0400 (EDT) Received: from SATLEXDAG06.amd.com (10.181.40.13) by SATLVEXEDGE02.amd.com (10.177.96.29) with Microsoft SMTP Server (TLS) id 14.3.195.1; Tue, 26 May 2015 13:06:55 -0500 Received: from tlendack-t1.amdoffice.net (10.180.168.240) by satlexdag06.amd.com (10.181.40.13) with Microsoft SMTP Server id 14.3.195.1; Tue, 26 May 2015 14:06:35 -0400 Subject: [PATCH v1 3/3] crypto: ccp - Protect against poorly marked end of sg list From: Tom Lendacky To: CC: Herbert Xu , David Miller Date: Tue, 26 May 2015 13:06:35 -0500 Message-ID: <20150526180635.6527.5580.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20150526180612.6527.53332.stgit@tlendack-t1.amdoffice.net> References: <20150526180612.6527.53332.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD052; 1:GHTeV/FEtrxSxzz/abXSWAZDPeYLwZ4BywfYgsfMseKiPUWhfrHYUeGS+dKikwxnqtTtrFYJbgT529xRwiSL1mUrAvlWsvnQt1hNhj6GnN1EER12Rr6V+aQhNtYLnEuvyg0Y04lKZ8kh0PO+mEGk/l0Q4NN5ZcIeBA4upQFxJhbb7TIQlwqOo9Q/CyVw/9q5Sm5ovNl+FdICWjWFHIdhM3+B63D0g4qsZT2O7WrCPI3rHTdigUv8RuUH3rkQ2iqo2Td1i+rPBmbkQTHuNfYh9Av+sK4mJHuLJK8T7WYPBAziw2LlyrQa3/YgI7OfcWhz X-Forefront-Antispam-Report: CIP:165.204.84.222; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(428002)(189002)(199003)(101416001)(83506001)(5001860100001)(5001830100001)(87936001)(92566002)(50986999)(76176999)(47776003)(64706001)(189998001)(97746001)(103116003)(86362001)(23676002)(105586002)(33646002)(50466002)(106466001)(2950100001)(46102003)(19580395003)(68736005)(19580405001)(77096005)(62966003)(4001350100001)(54356999)(110136002)(53416004)(97736004)(4001540100001)(2351001)(229853001)(77156002)(71626006); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR02MB1108; H:atltwp02.amd.com; FPR:; SPF:None; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR02MB1108; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(520002)(3002001); SRVR:BLUPR02MB1108; BCL:0; PCL:0; RULEID:; SRVR:BLUPR02MB1108; X-Forefront-PRVS: 0588B2BD96 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2015 18:06:37.7179 (UTC) X-MS-Exchange-CrossTenant-Id: fde4dada-be84-483f-92cc-e026cbee8e96 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fde4dada-be84-483f-92cc-e026cbee8e96; Ip=[165.204.84.222]; Helo=[atltwp02.amd.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR02MB1108 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Scatter gather lists can be created with more available entries than are actually used (e.g. using sg_init_table() to reserve a specific number of sg entries, but in actuality using something less than that based on the data length). The caller sometimes fails to mark the last entry with sg_mark_end(). In these cases, sg_nents() will return the original size of the sg list as opposed to the actual number of sg entries that contain valid data. On arm64, if the sg_nents() value is used in a call to dma_map_sg() in this situation, then it causes a BUG_ON in lib/swiotlb.c because an "empty" sg list entry results in dma_capable() returning false and swiotlb trying to create a bounce buffer of size 0. This occurred in the userspace crypto interface before being fixed by 0f477b655a52 ("crypto: algif - Mark sgl end at the end of data") Protect against this in the future by counting the number of sg entries needed to meet the length requirement and supplying that value to dma_map_sg(). Signed-off-by: Tom Lendacky --- drivers/crypto/ccp/ccp-ops.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c index 542453c..8377ed6 100644 --- a/drivers/crypto/ccp/ccp-ops.c +++ b/drivers/crypto/ccp/ccp-ops.c @@ -477,6 +477,22 @@ static u32 ccp_gen_jobid(struct ccp_device *ccp) return atomic_inc_return(&ccp->current_id) & CCP_JOBID_MASK; } +static int ccp_sg_nents(struct scatterlist *sg, u64 len) +{ + int nents = 0; + + while (sg && len) { + nents++; + if (sg->length > len) + break; + + len -= sg->length; + sg = sg_next(sg); + } + + return nents; +} + static void ccp_sg_free(struct ccp_sg_workarea *wa) { if (wa->dma_count) @@ -495,7 +511,7 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, if (!sg) return 0; - wa->nents = sg_nents(sg); + wa->nents = ccp_sg_nents(sg, len); wa->bytes_left = len; wa->sg_used = 0;