crypto: crypto4xx - put temporary dst sg into request ctx

This patch fixes a crash that happens when testing rfc4543(gcm(aes))

Unable to handle kernel paging request for data at address 0xf59b3420
Faulting instruction address: 0xc0012994
Oops: Kernel access of bad area, sig: 11 [#1]
BE PowerPC 44x Platform
Modules linked in: tcrypt(+) crypto4xx [...]
CPU: 0 PID: 0 Comm: swapper Tainted: G           O      4.17.0-rc1+ #23
NIP:  c0012994 LR: d3077934 CTR: 06026d49
REGS: cfff7e30 TRAP: 0300   Tainted: G           O       (4.17.0-rc1+)
MSR:  00029000 <CE,EE,ME>  CR: 44744822  XER: 00000000
DEAR: f59b3420 ESR: 00000000
NIP [c0012994] __dma_sync+0x58/0x10c
LR [d3077934] crypto4xx_bh_tasklet_cb+0x188/0x3c8 [crypto4xx]

__dma_sync was fed the temporary _dst that crypto4xx_build_pd()
had in it's function stack. This clearly never worked.
This patch therefore overhauls the code from the original driver
and puts the temporary dst sg list into aead's request context.

Fixes: a0aae821ba3d3 ("crypto: crypto4xx - prepare for AEAD support")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c
index c952bcf..f5c0749 100644 (file)
--- a/drivers/crypto/amcc/crypto4xx_alg.c
+++ b/drivers/crypto/amcc/crypto4xx_alg.c
@@ -87,7 +87,7 @@ static inline int crypto4xx_crypt(struct skcipher_request *req,
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst,
                req->cryptlen, iv, ivlen, decrypt ? ctx->sa_in : ctx->sa_out,
-               ctx->sa_len, 0);
+               ctx->sa_len, 0, NULL);
 }
 
 int crypto4xx_encrypt_noiv(struct skcipher_request *req)
@@ -223,7 +223,7 @@ int crypto4xx_rfc3686_encrypt(struct skcipher_request *req)
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst,
                                  req->cryptlen, iv, AES_IV_SIZE,
-                                 ctx->sa_out, ctx->sa_len, 0);
+                                 ctx->sa_out, ctx->sa_len, 0, NULL);
 }
 
 int crypto4xx_rfc3686_decrypt(struct skcipher_request *req)
@@ -238,7 +238,7 @@ int crypto4xx_rfc3686_decrypt(struct skcipher_request *req)
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst,
                                  req->cryptlen, iv, AES_IV_SIZE,
-                                 ctx->sa_out, ctx->sa_len, 0);
+                                 ctx->sa_out, ctx->sa_len, 0, NULL);
 }
 
 static int
@@ -449,6 +449,7 @@ int crypto4xx_setkey_aes_ccm(struct crypto_aead *cipher, const u8 *key,
 static int crypto4xx_crypt_aes_ccm(struct aead_request *req, bool decrypt)
 {
        struct crypto4xx_ctx *ctx  = crypto_tfm_ctx(req->base.tfm);
+       struct crypto4xx_aead_reqctx *rctx = aead_request_ctx(req);
        struct crypto_aead *aead = crypto_aead_reqtfm(req);
        __le32 iv[16];
        u32 tmp_sa[SA_AES128_CCM_LEN + 4];
@@ -474,7 +475,7 @@ static int crypto4xx_crypt_aes_ccm(struct aead_request *req, bool decrypt)
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst,
                                  len, iv, sizeof(iv),
-                                 sa, ctx->sa_len, req->assoclen);
+                                 sa, ctx->sa_len, req->assoclen, rctx->dst);
 }
 
 int crypto4xx_encrypt_aes_ccm(struct aead_request *req)
@@ -622,7 +623,7 @@ static inline int crypto4xx_crypt_aes_gcm(struct aead_request *req,
        return crypto4xx_build_pd(&req->base, ctx, req->src, req->dst,
                                  len, iv, sizeof(iv),
                                  decrypt ? ctx->sa_in : ctx->sa_out,
-                                 ctx->sa_len, req->assoclen);
+                                 ctx->sa_len, req->assoclen, rctx->dst);
 }
 
 int crypto4xx_encrypt_aes_gcm(struct aead_request *req)
@@ -707,7 +708,7 @@ int crypto4xx_hash_update(struct ahash_request *req)
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, &dst,
                                  req->nbytes, NULL, 0, ctx->sa_in,
-                                 ctx->sa_len, 0);
+                                 ctx->sa_len, 0, NULL);
 }
 
 int crypto4xx_hash_final(struct ahash_request *req)
@@ -726,7 +727,7 @@ int crypto4xx_hash_digest(struct ahash_request *req)
 
        return crypto4xx_build_pd(&req->base, ctx, req->src, &dst,
                                  req->nbytes, NULL, 0, ctx->sa_in,
-                                 ctx->sa_len, 0);
+                                 ctx->sa_len, 0, NULL);
 }
 
 /**

diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c
index 605398c..9cb234c 100644 (file)
--- a/drivers/crypto/amcc/crypto4xx_core.c
+++ b/drivers/crypto/amcc/crypto4xx_core.c
@@ -695,9 +695,9 @@ int crypto4xx_build_pd(struct crypto_async_request *req,
                       const __le32 *iv, const u32 iv_len,
                       const struct dynamic_sa_ctl *req_sa,
                       const unsigned int sa_len,
-                      const unsigned int assoclen)
+                      const unsigned int assoclen,
+                      struct scatterlist *_dst)
 {
-       struct scatterlist _dst[2];
        struct crypto4xx_device *dev = ctx->dev;
        struct dynamic_sa_ctl *sa;
        struct ce_gd *gd;
@@ -996,9 +996,9 @@ static int crypto4xx_aead_init(struct crypto_aead *tfm)
 
        amcc_alg = container_of(alg, struct crypto4xx_alg, alg.u.aead);
        crypto4xx_ctx_init(amcc_alg, ctx);
-       crypto_aead_set_reqsize(tfm, sizeof(struct aead_request) +
-                               max(sizeof(struct crypto4xx_ctx), 32 +
-                               crypto_aead_reqsize(ctx->sw_cipher.aead)));
+       crypto_aead_set_reqsize(tfm, max(sizeof(struct aead_request) + 32 +
+                               crypto_aead_reqsize(ctx->sw_cipher.aead),
+                               sizeof(struct crypto4xx_aead_reqctx)));
        return 0;
 }
 

diff --git a/drivers/crypto/amcc/crypto4xx_core.h b/drivers/crypto/amcc/crypto4xx_core.h
index 279f650..e2ca567 100644 (file)
--- a/drivers/crypto/amcc/crypto4xx_core.h
+++ b/drivers/crypto/amcc/crypto4xx_core.h
@@ -133,6 +133,10 @@ struct crypto4xx_ctx {
        } sw_cipher;
 };
 
+struct crypto4xx_aead_reqctx {
+       struct scatterlist dst[2];
+};
+
 struct crypto4xx_alg_common {
        u32 type;
        union {
@@ -159,7 +163,8 @@ int crypto4xx_build_pd(struct crypto_async_request *req,
                       const __le32 *iv, const u32 iv_len,
                       const struct dynamic_sa_ctl *sa,
                       const unsigned int sa_len,
-                      const unsigned int assoclen);
+                      const unsigned int assoclen,
+                      struct scatterlist *dst_tmp);
 int crypto4xx_setkey_aes_cbc(struct crypto_skcipher *cipher,
                             const u8 *key, unsigned int keylen);
 int crypto4xx_setkey_aes_cfb(struct crypto_skcipher *cipher,