From patchwork Mon Jun 1 16:15:53 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Lendacky X-Patchwork-Id: 6523731 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 95CCE9F1C1 for ; Mon, 1 Jun 2015 16:16:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A14BE20437 for ; Mon, 1 Jun 2015 16:16:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C575F204B5 for ; Mon, 1 Jun 2015 16:16:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751910AbbFAQQC (ORCPT ); Mon, 1 Jun 2015 12:16:02 -0400 Received: from mail-bl2on0116.outbound.protection.outlook.com ([65.55.169.116]:54550 "EHLO na01-bl2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751479AbbFAQQB (ORCPT ); Mon, 1 Jun 2015 12:16:01 -0400 Received: from CY1PR0201CA0030.namprd02.prod.outlook.com (25.163.30.168) by CO1PR02MB077.namprd02.prod.outlook.com (10.242.164.11) with Microsoft SMTP Server (TLS) id 15.1.172.22; Mon, 1 Jun 2015 16:15:58 +0000 Received: from BN1BFFO11FD013.protection.gbl (2a01:111:f400:7c10::1:152) by CY1PR0201CA0030.outlook.office365.com (2a01:111:e400:58b9::40) with Microsoft SMTP Server (TLS) id 15.1.172.22 via Frontend Transport; Mon, 1 Jun 2015 16:15:57 +0000 Authentication-Results: spf=none (sender IP is 165.204.84.221) smtp.mailfrom=amd.com; davemloft.net; dkim=none (message not signed) header.d=none; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) Received: from atltwp01.amd.com (165.204.84.221) by BN1BFFO11FD013.mail.protection.outlook.com (10.58.144.76) with Microsoft SMTP Server id 15.1.184.11 via Frontend Transport; Mon, 1 Jun 2015 16:15:55 +0000 X-WSS-ID: 0NP9X6I-07-QN3-02 X-M-MSG: Received: from satlvexedge02.amd.com (satlvexedge02.amd.com [10.177.96.29]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by atltwp01.amd.com (Axway MailGate 5.3.1) with ESMTPS id 2FB3A12C0001; Mon, 1 Jun 2015 12:15:54 -0400 (EDT) Received: from SATLEXDAG03.amd.com (10.181.40.7) by SATLVEXEDGE02.amd.com (10.177.96.29) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 1 Jun 2015 11:16:18 -0500 Received: from tlendack-t1.amdoffice.net (10.180.168.240) by satlexdag03.amd.com (10.181.40.7) with Microsoft SMTP Server id 14.3.195.1; Mon, 1 Jun 2015 12:15:54 -0400 Subject: [PATCH v1 2/2] crypto: ccp - Protect against poorly marked end of sg list From: Tom Lendacky To: CC: David Miller , , Herbert Xu Date: Mon, 1 Jun 2015 11:15:53 -0500 Message-ID: <20150601161553.729.88982.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20150601161519.729.75909.stgit@tlendack-t1.amdoffice.net> References: <20150601161519.729.75909.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Microsoft-Exchange-Diagnostics: 1; BN1BFFO11FD013; 1:yR1O/LfFAfiRrF0BitwFWDnK7qPyCANYENlIbi23nBVDGu7LIIDZhcPXSulBbRaRe4UiBp7HvMQw0qxHlX1oWyaBh4xZ/+oPFilantiREiaQafc+xej3vQNaMgKVVioDToRwwoMugESSCv5Z9j81Da7E6GsN6q4jn+XnQESKk7FIxER4/OvNDqQa3p605foaNV+zCDqfO8gxuCrTy6rFGNvoMrEsIZuDGKDxDsuHVYC2sKw9u4jrjOJch7Kv9batIu5SJr0W3ueo82zs2GhjjVM6iyy4fKDHDJKV17PRwOvmwBAYK7ARUdkt6amhG10J X-Forefront-Antispam-Report: CIP:165.204.84.221; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(428002)(199003)(189002)(64706001)(68736005)(77096005)(47776003)(103116003)(2351001)(229853001)(87936001)(92566002)(23676002)(46102003)(19580395003)(83506001)(19580405001)(106466001)(5001860100001)(110136002)(62966003)(77156002)(101416001)(189998001)(53416004)(4001540100001)(33646002)(5001830100001)(2950100001)(86362001)(50466002)(97736004)(97746001)(54356999)(105586002)(4001350100001)(50986999)(76176999)(71626006); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB077; H:atltwp01.amd.com; FPR:; SPF:None; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO1PR02MB077; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(520003)(5005006)(3002001); SRVR:CO1PR02MB077; BCL:0; PCL:0; RULEID:; SRVR:CO1PR02MB077; X-Forefront-PRVS: 05947791E4 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2015 16:15:55.6796 (UTC) X-MS-Exchange-CrossTenant-Id: fde4dada-be84-483f-92cc-e026cbee8e96 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fde4dada-be84-483f-92cc-e026cbee8e96; Ip=[165.204.84.221]; Helo=[atltwp01.amd.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR02MB077 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Scatter gather lists can be created with more available entries than are actually used (e.g. using sg_init_table() to reserve a specific number of sg entries, but in actuality using something less than that based on the data length). The caller sometimes fails to mark the last entry with sg_mark_end(). In these cases, sg_nents() will return the original size of the sg list as opposed to the actual number of sg entries that contain valid data. On arm64, if the sg_nents() value is used in a call to dma_map_sg() in this situation, then it causes a BUG_ON in lib/swiotlb.c because an "empty" sg list entry results in dma_capable() returning false and swiotlb trying to create a bounce buffer of size 0. This occurred in the userspace crypto interface before being fixed by 0f477b655a52 ("crypto: algif - Mark sgl end at the end of data") Protect against this by using the new sg_nents_for_len() function which returns only the number of sg entries required to meet the desired length and supplying that value to dma_map_sg(). Signed-off-by: Tom Lendacky --- drivers/crypto/ccp/ccp-ops.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c index 542453c..d09c6c4 100644 --- a/drivers/crypto/ccp/ccp-ops.c +++ b/drivers/crypto/ccp/ccp-ops.c @@ -52,7 +52,7 @@ struct ccp_dm_workarea { struct ccp_sg_workarea { struct scatterlist *sg; - unsigned int nents; + int nents; struct scatterlist *dma_sg; struct device *dma_dev; @@ -495,7 +495,10 @@ static int ccp_init_sg_workarea(struct ccp_sg_workarea *wa, struct device *dev, if (!sg) return 0; - wa->nents = sg_nents(sg); + wa->nents = sg_nents_for_len(sg, len); + if (wa->nents < 0) + return wa->nents; + wa->bytes_left = len; wa->sg_used = 0;