From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: dmaengine@vger.kernel.org, vkoul@kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v17 09/14] crypto: qce - Remove unused ignore_buf
Date: Tue, 19 May 2026 13:48:42 +0000 [thread overview]
Message-ID: <20260519134842.D7A6AC2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260519-qcom-qce-cmd-descr-v17-9-53a595414b79@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] qce_dma_release() frees the DMA channels and result buffer without explicitly terminating in-flight background DMA operations.
- [Critical] The surrounding error rollback loop in devm_qce_register_algs() uses the wrong loop variable, leaking registered algorithms and causing subsequent UAF.
--
commit 86b6706b62fa03437f8e5e0bdb45e4e4d945b1d3
Author: Bartosz Golaszewski <brgl@kernel.org>
crypto: qce - Remove unused ignore_buf
This commit removes the ignore_buf field from struct qce_dma_data and the
assignment in devm_qce_dma_request() because it was unused. It also moves the
QCE_IGNORE_BUF_SZ macro definition into dma.c since it is only used locally.
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index 68cafd4741ad3..08bf3e8ec1243 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
> @@ -9,6 +9,8 @@
>
> #include "dma.h"
>
> +#define QCE_IGNORE_BUF_SZ (2 * QCE_BAM_BURST_SIZE)
> +
> static void qce_dma_release(void *data)
> {
> struct qce_dma_data *dma = data;
While reviewing this code, I noticed a pre-existing regression in
qce_dma_release().
When the driver is unbound, devres cleanup calls qce_dma_release(), which
drops the DMA channel references via dma_release_channel() and then frees
dma->result_buf.
Since dma_release_channel() does not stop active DMA transfers, could the BAM
DMA engine continue to write data to the newly freed result_buf if a crypto
request is in-flight?
Would this lead to a use-after-free and memory corruption?
Should the driver explicitly call dmaengine_terminate_sync() before releasing
the channels?
[ ... ]
I also noticed another pre-existing regression in devm_qce_register_algs()
regarding the error rollback loop.
When ops->register_algs(qce) fails at index i, the rollback loop correctly
counts backward with j = i - 1, but it appears to fail to update the ops
pointer to qce_ops[j].
Does this result in repeatedly calling unregister_algs() for the failed
qce_ops[i] instead of the successfully registered algorithms?
If probe fails and devres frees the device memory, is it possible these
leaked algorithms pointing to freed memory cause a use-after-free when
accessed by the crypto subsystem?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-qcom-qce-cmd-descr-v17-0-53a595414b79@oss.qualcomm.com?part=9
next prev parent reply other threads:[~2026-05-19 13:48 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 13:17 [PATCH v17 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-05-19 13:48 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-05-19 13:44 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-05-19 13:54 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-05-19 13:47 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-05-19 13:48 ` sashiko-bot [this message]
2026-05-19 13:17 ` [PATCH v17 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-05-19 13:17 ` [PATCH v17 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-05-19 14:00 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-05-19 13:52 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-05-19 13:56 ` sashiko-bot
2026-05-19 13:17 ` [PATCH v17 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-05-19 14:17 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519134842.D7A6AC2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox