From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: dmaengine@vger.kernel.org, vkoul@kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v17 09/14] crypto: qce - Remove unused ignore_buf
Date: Tue, 19 May 2026 13:48:42 +0000 [thread overview]
Message-ID: <20260519134842.D7A6AC2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260519-qcom-qce-cmd-descr-v17-9-53a595414b79@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] qce_dma_release() frees the DMA channels and result buffer without explicitly terminating in-flight background DMA operations.
- [Critical] The surrounding error rollback loop in devm_qce_register_algs() uses the wrong loop variable, leaking registered algorithms and causing subsequent UAF.
--
commit 86b6706b62fa03437f8e5e0bdb45e4e4d945b1d3
Author: Bartosz Golaszewski <brgl@kernel.org>
crypto: qce - Remove unused ignore_buf
This commit removes the ignore_buf field from struct qce_dma_data and the
assignment in devm_qce_dma_request() because it was unused. It also moves the
QCE_IGNORE_BUF_SZ macro definition into dma.c since it is only used locally.
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index 68cafd4741ad3..08bf3e8ec1243 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
> @@ -9,6 +9,8 @@
>
> #include "dma.h"
>
> +#define QCE_IGNORE_BUF_SZ (2 * QCE_BAM_BURST_SIZE)
> +
> static void qce_dma_release(void *data)
> {
> struct qce_dma_data *dma = data;
While reviewing this code, I noticed a pre-existing regression in
qce_dma_release().
When the driver is unbound, devres cleanup calls qce_dma_release(), which
drops the DMA channel references via dma_release_channel() and then frees
dma->result_buf.
Since dma_release_channel() does not stop active DMA transfers, could the BAM
DMA engine continue to write data to the newly freed result_buf if a crypto
request is in-flight?
Would this lead to a use-after-free and memory corruption?
Should the driver explicitly call dmaengine_terminate_sync() before releasing
the channels?
[ ... ]
I also noticed another pre-existing regression in devm_qce_register_algs()
regarding the error rollback loop.
When ops->register_algs(qce) fails at index i, the rollback loop correctly
counts backward with j = i - 1, but it appears to fail to update the ops
pointer to qce_ops[j].
Does this result in repeatedly calling unregister_algs() for the failed
qce_ops[i] instead of the successfully registered algorithms?
If probe fails and devres frees the device memory, is it possible these
leaked algorithms pointing to freed memory cause a use-after-free when
accessed by the crypto subsystem?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-qcom-qce-cmd-descr-v17-0-53a595414b79@oss.qualcomm.com?part=9
next prev parent reply other threads:[~2026-05-19 13:48 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 13:17 [PATCH v17 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-05-19 13:48 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-05-19 13:44 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-05-19 13:54 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-05-19 13:47 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-05-19 13:48 ` sashiko-bot [this message]
2026-05-19 13:17 ` [PATCH v17 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-05-19 14:00 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-05-19 13:52 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-05-19 13:56 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-05-19 14:17 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519134842.D7A6AC2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.