From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: Frank.Li@kernel.org, vkoul@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCH v21 13/14] crypto: qce - Add BAM DMA support for crypto register I/O
Date: Mon, 13 Jul 2026 13:24:50 +0000 [thread overview]
Message-ID: <20260713132451.4C7211F00A3E@smtp.kernel.org> (raw)
In-Reply-To: <20260713-qcom-qce-cmd-descr-v21-13-bc2583e18475@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
New issues:
- [Medium] BAM DMA command descriptors are written with native host-endian `u32` values, causing byte-swapping data corruption on big-endian platforms.
- [Medium] Early return in `qce_dma_terminate_all()` leaks DMA mappings and skips terminating the TX channel if RX channel termination fails.
- [Medium] Leaked DMA descriptor in error path due to incorrect use of `dmaengine_desc_free` on a non-reusable descriptor.
Pre-existing issues:
- [High] Memory leak of `rctx->adata` buffer in CCM requests with associated data on both success and error paths.
- [High] The error path in `qce_aead_async_req_handle` unmaps the wrong scatterlist for CCM requests, leading to a DMA mapping leak and invalid unmap.
- [High] Failure of `dma_map_sg` for the source scatterlist is bypassed due to an incorrect error check, leading to an invalid unmap.
--
--- Patch [13]: [PATCH v21 13/14] crypto: qce - Add BAM DMA support for crypto register I/O ---
commit 07a714be1f94a3c7b4d4c5c79104848b7570dad5
Author: Bartosz Golaszewski <brgl@kernel.org>
crypto: qce - Add BAM DMA support for crypto register I/O
Switch to using BAM DMA for register I/O in addition to passing data. To
that end: provide the necessary infrastructure in the driver, modify the
ordering of operations as required and replace all direct register writes
with wrappers queueing DMA command descriptors.
> diff --git a/drivers/crypto/qce/aead.c b/drivers/crypto/qce/aead.c
> index 92d84941d3dbf..48ea7fb9a91e6 100644
> --- a/drivers/crypto/qce/aead.c
> +++ b/drivers/crypto/qce/aead.c
[ ... ]
> @@ -461,17 +461,17 @@ qce_aead_async_req_handle(struct crypto_async_request *async_req)
> src_nents = dst_nents - 1;
> }
>
> - ret = qce_dma_prep_sgs(&qce->dma, rctx->src_sg, src_nents, rctx->dst_sg, dst_nents,
> - qce_aead_done, async_req);
> + ret = qce_start(async_req, tmpl->crypto_alg_type);
> if (ret)
> goto error_unmap_src;
>
> - qce_dma_issue_pending(&qce->dma);
> -
> - ret = qce_start(async_req, tmpl->crypto_alg_type);
> + ret = qce_dma_prep_sgs(&qce->dma, rctx->src_sg, src_nents, rctx->dst_sg, dst_nents,
> + qce_aead_done, async_req);
> if (ret)
> goto error_terminate;
>
> + qce_dma_issue_pending(&qce->dma);
> +
> return 0;
>
> error_terminate:
[Severity: High]
This is a pre-existing issue, but does this function leak memory allocated
for CCM requests with associated data?
qce_aead_async_req_handle() calls qce_aead_ccm_prepare_buf() which
allocates:
rctx->adata = kzalloc(...)
The buffer allocated for rctx->adata is never freed anywhere in the driver,
neither in the success path (qce_aead_done) nor in the error paths. Will
this reliably exhaust kernel memory for every CCM request?
[Severity: High]
This is a pre-existing issue, but is the wrong scatterlist being unmapped
in the error path?
If an error occurs, the error handler incorrectly unmaps the original user
scatterlist:
error_unmap_src:
if (diff_dst)
dma_unmap_sg(qce->dev, req->src, rctx->src_nents, dir_src);
For CCM requests with associated data, the dynamically constructed
scatterlist rctx->src_sg is mapped. Does unmapping req->src instead cause a
permanent DMA mapping leak and trigger IOMMU faults?
[Severity: High]
This is a pre-existing issue, but does this function incorrectly check the
return value of dma_map_sg()?
Earlier in this function:
src_nents = dma_map_sg(qce->dev, rctx->src_sg, rctx->src_nents,
dir_src);
if (src_nents < 0) {
dma_map_sg() returns 0 on failure, not a negative value. Will this bypass
the error check, pass a count of 0 to qce_dma_prep_sgs(), and eventually
lead to an invalid unmap?
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index 26347e9fc078a..1b43c56503334 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
[ ... ]
> +int qce_submit_cmd_desc(struct qce_device *qce)
> +{
> + struct qce_desc_info *qce_desc = qce->dma.bam_txn->desc;
> + struct qce_bam_transaction *bam_txn = qce->dma.bam_txn;
> + struct dma_async_tx_descriptor *dma_desc;
> + struct dma_chan *chan = qce->dma.rxchan;
> + unsigned long attrs = DMA_PREP_CMD;
> + dma_cookie_t cookie;
> + unsigned int mapped;
> + int ret;
> +
> + mapped = dma_map_sg(qce->dev, bam_txn->wr_sgl, bam_txn->wr_sgl_cnt, DMA_TO_DEVICE);
> + if (!mapped)
> + return -ENOMEM;
> +
> + dma_desc = dmaengine_prep_slave_sg(chan, bam_txn->wr_sgl, mapped, DMA_MEM_TO_DEV, attrs);
> + if (!dma_desc) {
> + ret = -ENOMEM;
> + goto err_unmap_sg;
> + }
> +
> + qce_desc->dma_desc = dma_desc;
> + cookie = dmaengine_submit(qce_desc->dma_desc);
> +
> + ret = dma_submit_error(cookie);
> + if (ret)
> + goto err_unmap_sg;
> +
> + return 0;
> +
> +err_unmap_sg:
> + dma_unmap_sg(qce->dev, bam_txn->wr_sgl, bam_txn->wr_sgl_cnt, DMA_TO_DEVICE);
> + return ret;
> +}
[Severity: Medium]
Is there a leaked DMA descriptor on this error path?
If dmaengine_desc_free(dma_desc) is ever used on error paths here (e.g., if
metadata attachment or submission fails):
err_free_desc:
dmaengine_desc_free(dma_desc);
Is it safe to call this? This API does not free non-reusable descriptors,
and returns -EPERM instead, leaving the descriptor permanently leaked in
the unsubmitted pool.
> +static void qce_prep_dma_cmd_desc(struct qce_device *qce, struct qce_dma_data *dma,
> + unsigned int addr, void *buf)
> +{
> + struct qce_bam_transaction *bam_txn = dma->bam_txn;
> + struct bam_cmd_element *bam_ce_buf;
> + int bam_ce_size, cnt, idx;
> +
> + idx = bam_txn->bam_ce_idx;
> + bam_ce_buf = &bam_txn->bam_ce[idx];
> + bam_prep_ce_le32(bam_ce_buf, addr, BAM_WRITE_COMMAND, *((__le32 *)buf));
[Severity: Medium]
Will this cause endianness issues on big-endian platforms?
In qce_write_dma(), a native host-endian u32 value is passed by reference:
qce_write_dma()
unsigned int reg_addr = ...
qce_prep_dma_cmd_desc(qce, &qce->dma, reg_addr, &val);
Here, the pointer is cast to __le32 * and dereferenced without using
cpu_to_le32(). Won't the BAM DMA hardware receive incorrectly byte-swapped
values?
[ ... ]
> @@ -98,28 +200,36 @@ int qce_dma_prep_sgs(struct qce_dma_data *dma, struct scatterlist *rx_sg,
[ ... ]
> int qce_dma_terminate_all(struct qce_dma_data *dma)
> {
> + struct qce_device *qce = container_of(dma, struct qce_device, dma);
> + struct qce_bam_transaction *bam_txn = dma->bam_txn;
> int ret;
>
> ret = dmaengine_terminate_all(dma->rxchan);
> - return ret ?: dmaengine_terminate_all(dma->txchan);
> + if (ret)
> + return ret;
[Severity: Medium]
If dmaengine_terminate_all(dma->rxchan) returns an error, the function
returns immediately. Does this early return leak the DMA mappings for
bam_txn->wr_sgl and skip terminating the TX channel entirely?
> +
> + dma_unmap_sg(qce->dev, bam_txn->wr_sgl, bam_txn->wr_sgl_cnt, DMA_TO_DEVICE);
> +
> + return dmaengine_terminate_all(dma->txchan);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713-qcom-qce-cmd-descr-v21-0-bc2583e18475@oss.qualcomm.com?part=13
next prev parent reply other threads:[~2026-07-13 13:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 13:01 [PATCH v21 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-07-13 13:01 ` [PATCH v21 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-07-13 13:01 ` [PATCH v21 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-07-13 13:14 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-07-13 13:17 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-07-13 13:01 ` [PATCH v21 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-07-13 13:01 ` [PATCH v21 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-07-13 13:17 ` sashiko-bot
2026-07-14 9:49 ` Stephan Gerhold
2026-07-13 13:01 ` [PATCH v21 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-07-13 13:15 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-07-13 13:18 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-07-13 13:14 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-07-13 13:01 ` [PATCH v21 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-07-13 13:16 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-07-13 13:22 ` sashiko-bot
2026-07-13 13:01 ` [PATCH v21 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-07-13 13:24 ` sashiko-bot [this message]
2026-07-13 13:01 ` [PATCH v21 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-07-13 13:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713132451.4C7211F00A3E@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox