* [PATCH] crypto: tegra - Fix dma_free_coherent size error
@ 2026-05-19 4:22 Herbert Xu
2026-05-19 12:24 ` Vladislav Dronov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Herbert Xu @ 2026-05-19 4:22 UTC (permalink / raw)
To: Linux Crypto Mailing List, Akhil R; +Cc: Patrick Talbert, Vladislav Dronov
When freeing a coherent DMA buffer, the size must match the value
that was used during the allocation.
Unfortunately the size field in the tegra driver gets overwritten
by this point so it no longer matches and creates a warning.
Fix this by saving a copy of the size on the stack.
Note that the ccm function actually mixes up the inbuf and outbuf
sizes, but it doesn't matter because the two sizes are actually
equal.
Fixes: 1cb328da4e8f ("crypto: tegra - Do not use fixed size buffers")
Reporeted-by: Patrick Talbert <ptalbert@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 30c78afe3dea..5086e7f140c3 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -1201,6 +1201,7 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
struct tegra_se *se = ctx->se;
+ unsigned int bufsize;
int ret;
ret = tegra_ccm_crypt_init(req, se, rctx);
@@ -1210,14 +1211,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->key_id = ctx->key_id;
/* Allocate buffers required */
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
+ rctx->inbuf.size = bufsize;
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->inbuf.addr, GFP_KERNEL);
if (!rctx->inbuf.buf)
goto out_finalize;
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
+ rctx->outbuf.size = bufsize;
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->outbuf.addr, GFP_KERNEL);
if (!rctx->outbuf.buf) {
ret = -ENOMEM;
@@ -1254,11 +1256,11 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
}
out:
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->outbuf.buf, rctx->outbuf.addr);
out_free_inbuf:
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->inbuf.buf, rctx->inbuf.addr);
if (tegra_key_is_reserved(rctx->key_id))
@@ -1278,6 +1280,7 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
struct tegra_aead_reqctx *rctx = aead_request_ctx(req);
+ unsigned int bufsize;
int ret;
rctx->src_sg = req->src;
@@ -1296,16 +1299,17 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->key_id = ctx->key_id;
/* Allocate buffers required */
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen;
+ rctx->inbuf.size = bufsize;
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->inbuf.addr, GFP_KERNEL);
if (!rctx->inbuf.buf) {
ret = -ENOMEM;
goto out_finalize;
}
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
+ rctx->outbuf.size = bufsize;
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
&rctx->outbuf.addr, GFP_KERNEL);
if (!rctx->outbuf.buf) {
ret = -ENOMEM;
@@ -1342,11 +1346,11 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
ret = tegra_gcm_do_verify(ctx->se, rctx);
out:
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->outbuf.buf, rctx->outbuf.addr);
out_free_inbuf:
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
+ dma_free_coherent(ctx->se->dev, bufsize,
rctx->inbuf.buf, rctx->inbuf.addr);
if (tegra_key_is_reserved(rctx->key_id))
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] crypto: tegra - Fix dma_free_coherent size error
2026-05-19 4:22 [PATCH] crypto: tegra - Fix dma_free_coherent size error Herbert Xu
@ 2026-05-19 12:24 ` Vladislav Dronov
[not found] ` <CAMusb+T_q1Vu3MD+VjiPWfpe3NNpjJehXWQ9gePo=hM+NGm1zg@mail.gmail.com>
2026-05-20 16:03 ` [PATCH] crypto: tegra - Fix dma_free_coherent size error Vladislav Dronov
2 siblings, 0 replies; 6+ messages in thread
From: Vladislav Dronov @ 2026-05-19 12:24 UTC (permalink / raw)
To: herbert; +Cc: akhilrajeev, linux-crypto, ptalbert, vdronov
On Tue, May 19, 2026 at 6:22 AM Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> /* Allocate buffers required */
> - rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
> - rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
> + bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
> + rctx->inbuf.size = bufsize;
> + rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
> &rctx->inbuf.addr, GFP_KERNEL);
> if (!rctx->inbuf.buf)
> goto out_finalize;
sashiko.dev makes a point here ( https://sashiko.dev/#/patchset/agvleqNqloWB6tpf%40gondor.apana.org.au )
that the code does not set ret to an error value, as done in the other similar places, see:
> - rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
> - rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
> + rctx->outbuf.size = bufsize;
> + rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
> &rctx->outbuf.addr, GFP_KERNEL);
> if (!rctx->outbuf.buf) {
> ret = -ENOMEM; <<< HERE
goto out_free_inbuf;
}
This looks valid to me, I'd suggest to add {}s and:
+ ret = -ENOMEM;
to the patch indeed.
Best regards,
Vladislav Dronov
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm
[not found] ` <CAMusb+T_q1Vu3MD+VjiPWfpe3NNpjJehXWQ9gePo=hM+NGm1zg@mail.gmail.com>
@ 2026-05-20 2:51 ` Herbert Xu
2026-05-20 16:08 ` Vladislav Dronov
2026-05-20 16:28 ` Vladislav Dronov
0 siblings, 2 replies; 6+ messages in thread
From: Herbert Xu @ 2026-05-20 2:51 UTC (permalink / raw)
To: Vladislav Dronov; +Cc: Linux Crypto Mailing List, Akhil R, Patrick Talbert
On Tue, May 19, 2026 at 01:42:59PM +0200, Vladislav Dronov wrote:
>
> sashiko.dev makes a point here (
> https://sashiko.dev/#/patchset/agvleqNqloWB6tpf%40gondor.apana.org.au )
> that the code does not set ret to an error value, as done in the other
> similar places, see:
Thanks Vladis. This is an existing bug and I'll fix it with a
separate patch:
---8<---
Ensure the ENOMEM error value is set when the input buffer allocation
fails in tegra_ccm_do_one_req.
Reported-by: Vladislav Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
index 30c78afe3dea..7ed39b40e4f5 100644
--- a/drivers/crypto/tegra/tegra-se-aes.c
+++ b/drivers/crypto/tegra/tegra-se-aes.c
@@ -1213,16 +1213,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
&rctx->inbuf.addr, GFP_KERNEL);
+ ret = -ENOMEM;
if (!rctx->inbuf.buf)
goto out_finalize;
rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
&rctx->outbuf.addr, GFP_KERNEL);
- if (!rctx->outbuf.buf) {
- ret = -ENOMEM;
+ if (!rctx->outbuf.buf)
goto out_free_inbuf;
- }
if (!ctx->key_id) {
ret = tegra_key_submit_reserved_aes(ctx->se, ctx->key,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] crypto: tegra - Fix dma_free_coherent size error
2026-05-19 4:22 [PATCH] crypto: tegra - Fix dma_free_coherent size error Herbert Xu
2026-05-19 12:24 ` Vladislav Dronov
[not found] ` <CAMusb+T_q1Vu3MD+VjiPWfpe3NNpjJehXWQ9gePo=hM+NGm1zg@mail.gmail.com>
@ 2026-05-20 16:03 ` Vladislav Dronov
2 siblings, 0 replies; 6+ messages in thread
From: Vladislav Dronov @ 2026-05-20 16:03 UTC (permalink / raw)
To: herbert; +Cc: akhilrajeev, linux-crypto, ptalbert, vdronov
Hi, Herbert, thanks!
With the subsequent ENOMEM fix please feel free to use my:
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
Best regards,
Vladislav Dronov
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm
2026-05-20 2:51 ` [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm Herbert Xu
@ 2026-05-20 16:08 ` Vladislav Dronov
2026-05-20 16:28 ` Vladislav Dronov
1 sibling, 0 replies; 6+ messages in thread
From: Vladislav Dronov @ 2026-05-20 16:08 UTC (permalink / raw)
To: herbert; +Cc: akhilrajeev, linux-crypto, ptalbert, vdronov
Hi, Herbert,
Thank you for this fix! Please feel free to use my:
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
Best regards,
Vladislav Dronov
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm
2026-05-20 2:51 ` [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm Herbert Xu
2026-05-20 16:08 ` Vladislav Dronov
@ 2026-05-20 16:28 ` Vladislav Dronov
1 sibling, 0 replies; 6+ messages in thread
From: Vladislav Dronov @ 2026-05-20 16:28 UTC (permalink / raw)
To: herbert; +Cc: akhilrajeev, linux-crypto, ptalbert, vdronov
Hi, Herbert,
I would also add the fixes: tag to your ENOMEM fix:
Fixes: 1e245948ca0c ("crypto: tegra - finalize crypto req on error")
Best regards,
Vladislav Dronov
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-20 16:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19 4:22 [PATCH] crypto: tegra - Fix dma_free_coherent size error Herbert Xu
2026-05-19 12:24 ` Vladislav Dronov
[not found] ` <CAMusb+T_q1Vu3MD+VjiPWfpe3NNpjJehXWQ9gePo=hM+NGm1zg@mail.gmail.com>
2026-05-20 2:51 ` [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm Herbert Xu
2026-05-20 16:08 ` Vladislav Dronov
2026-05-20 16:28 ` Vladislav Dronov
2026-05-20 16:03 ` [PATCH] crypto: tegra - Fix dma_free_coherent size error Vladislav Dronov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox