From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: vkoul@kernel.org, dmaengine@vger.kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v20 13/14] crypto: qce - Add BAM DMA support for crypto register I/O
Date: Mon, 29 Jun 2026 10:22:30 +0000 [thread overview]
Message-ID: <20260629102230.E5C7F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-qcom-qce-cmd-descr-v20-13-56f67da84c05@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] Incorrect endianness conversion for BAM DMA register writes on big-endian architectures.
- [Medium] DMA descriptor leak in qce_submit_cmd_desc() on error paths.
Pre-existing issues:
- [High] Memory allocated for rctx->adata is never freed.
- [High] Incorrect dma_map_sg failure check for src_sg ignores mapping errors.
--
commit bf3a155521eb3078dcc0111460444f36ebb69ebf
Author: Bartosz Golaszewski <brgl@kernel.org>
crypto: qce - Add BAM DMA support for crypto register I/O
Switch to using BAM DMA for register I/O in addition to passing data. To
that end: provide the necessary infrastructure in the driver, modify the
ordering of operations as required and replace all direct register writes
with wrappers queueing DMA command descriptors.
> diff --git a/drivers/crypto/qce/aead.c b/drivers/crypto/qce/aead.c
> --- a/drivers/crypto/qce/aead.c
> +++ b/drivers/crypto/qce/aead.c
> @@ -463,17 +463,17 @@ qce_aead_async_req_handle(struct crypto_async_request *async_req)
[Severity: High]
This is a pre-existing issue, but does this code leak the rctx->adata buffer
allocated for AES-CCM operations? It looks like if memory is dynamically
allocated for rctx->adata via kzalloc() during CCM processing, it is never
freed in either the success completion path or error handling paths of
qce_aead_async_req_handle(), which could lead to memory exhaustion when
processing untrusted network traffic.
[Severity: High]
This is also a pre-existing issue, but does the error check for dma_map_sg()
earlier in qce_aead_async_req_handle() correctly handle mapping failures?
dma_map_sg() returns 0 on error, not a negative value. The check for
(src_nents < 0) evaluates to false, which means a mapping failure could be
ignored, causing the driver to proceed and later call dma_unmap_sg() with
invalid parameters.
[ ... ]
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
[ ... ]
> +int qce_submit_cmd_desc(struct qce_device *qce)
> +{
[ ... ]
> + cookie = dmaengine_submit(qce_desc->dma_desc);
> +
> + ret = dma_submit_error(cookie);
> + if (ret)
> + goto err_unmap_sg;
> +
> + return 0;
> +
> +err_unmap_sg:
> + dma_unmap_sg(qce->dev, bam_txn->wr_sgl, bam_txn->wr_sgl_cnt, DMA_TO_DEVICE);
> + return ret;
> +}
[Severity: Medium]
Does this error path leak the unsubmitted DMA descriptor? If the DMA
submission fails and we go to err_unmap_sg, the rollback bypasses
qce_dma_terminate_all() or any mechanism to flush the descriptor. Since the
DMA_CTRL_REUSE flag was not passed during preparation, attempting to explicitly
free it later will return an error without freeing the descriptor.
[ ... ]
> +static void qce_prep_dma_cmd_desc(struct qce_device *qce, struct qce_dma_data *dma,
> + unsigned int addr, void *buf)
> +{
[ ... ]
> + idx = bam_txn->bam_ce_idx;
> + bam_ce_buf = &bam_txn->bam_ce[idx];
> + bam_prep_ce_le32(bam_ce_buf, addr, BAM_WRITE_COMMAND, *((__le32 *)buf));
[ ... ]
> +void qce_write_dma(struct qce_device *qce, unsigned int offset, u32 val)
> +{
> + unsigned int reg_addr = ((unsigned int)(qce->base_phys) + offset);
> +
> + qce_prep_dma_cmd_desc(qce, &qce->dma, reg_addr, &val);
> +}
[Severity: High]
Is there an endianness mismatch here on big-endian architectures?
In qce_write_dma(), a CPU-endian u32 stack address is passed to
qce_prep_dma_cmd_desc(). That function then casts the pointer to __le32* and
reads it directly into the BAM descriptor without byte swapping. Will this
result in reversed bytes being written to the crypto hardware registers on
big-endian CPUs?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-qcom-qce-cmd-descr-v20-0-56f67da84c05@oss.qualcomm.com?part=13
next prev parent reply other threads:[~2026-06-29 10:22 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 10:01 [PATCH v20 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-06-29 15:04 ` Pandey, Radhey Shyam
2026-06-29 10:01 ` [PATCH v20 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-06-29 10:18 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-06-29 10:17 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-06-29 10:18 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-06-29 10:16 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-06-29 10:15 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-06-29 10:17 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-06-29 10:14 ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-06-29 10:22 ` sashiko-bot [this message]
2026-06-29 10:01 ` [PATCH v20 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-06-29 10:24 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629102230.E5C7F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox