crypto: ixp4xx - fix buffer chain unwind on allocation failure

chainup_buffers() builds a linked list of buffer descriptors for a
scatterlist. If dma_pool_alloc() fails while constructing the list, the
current code sets buf to NULL and later dereferences it unconditionally
at the end of the function:

  buf->next = NULL;
  buf->phys_next = 0;

This can lead to a null-pointer dereference on allocation failure.

If the failure happens after part of the descriptor chain has already
been allocated and DMA-mapped, the partially constructed chain also
needs to be released.

Fix this by terminating the partially constructed chain on allocation
failure and letting the callers unwind it via their existing cleanup
paths. Also fix ablk_perform() to preserve the hook pointers before
checking for failure, so partially built chains can be freed correctly.

Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
Acked-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/intel/ixp4xx/ixp4xx_crypto.c b/drivers/crypto/intel/ixp4xx/ixp4xx_crypto.c
index fcc0cf4df637d2dcb68bf75766cb1dd409b3be4f..5b90cf0fb0e41fa9c2694b242b24333fa20b1ca0 100644 (file)
--- a/drivers/crypto/intel/ixp4xx/ixp4xx_crypto.c
+++ b/drivers/crypto/intel/ixp4xx/ixp4xx_crypto.c
@@ -884,8 +884,9 @@ static struct buffer_desc *chainup_buffers(struct device *dev,
                ptr = sg_virt(sg);
                next_buf = dma_pool_alloc(buffer_pool, flags, &next_buf_phys);
                if (!next_buf) {
-                       buf = NULL;
-                       break;
+                       buf->next = NULL;
+                       buf->phys_next = 0;
+                       return NULL;
                }
                sg_dma_address(sg) = dma_map_single(dev, ptr, len, dir);
                buf->next = next_buf;
@@ -983,7 +984,7 @@ static int ablk_perform(struct skcipher_request *req, int encrypt)
        unsigned int nbytes = req->cryptlen;
        enum dma_data_direction src_direction = DMA_BIDIRECTIONAL;
        struct ablk_ctx *req_ctx = skcipher_request_ctx(req);
-       struct buffer_desc src_hook;
+       struct buffer_desc *buf, src_hook;
        struct device *dev = &pdev->dev;
        unsigned int offset;
        gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
@@ -1025,22 +1026,24 @@ static int ablk_perform(struct skcipher_request *req, int encrypt)
                /* This was never tested by Intel
                 * for more than one dst buffer, I think. */
                req_ctx->dst = NULL;
-               if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
-                                    flags, DMA_FROM_DEVICE))
-                       goto free_buf_dest;
-               src_direction = DMA_TO_DEVICE;
+               buf = chainup_buffers(dev, req->dst, nbytes, &dst_hook,
+                                     flags, DMA_FROM_DEVICE);
                req_ctx->dst = dst_hook.next;
                crypt->dst_buf = dst_hook.phys_next;
+               if (!buf)
+                       goto free_buf_dest;
+               src_direction = DMA_TO_DEVICE;
        } else {
                req_ctx->dst = NULL;
        }
        req_ctx->src = NULL;
-       if (!chainup_buffers(dev, req->src, nbytes, &src_hook, flags,
-                            src_direction))
-               goto free_buf_src;
-
+       buf = chainup_buffers(dev, req->src, nbytes, &src_hook, flags,
+                             src_direction);
        req_ctx->src = src_hook.next;
        crypt->src_buf = src_hook.phys_next;
+       if (!buf)
+               goto free_buf_src;
+
        crypt->ctl_flags |= CTL_FLAG_PERFORM_ABLK;
        qmgr_put_entry(send_qid, crypt_virt2phys(crypt));
        BUG_ON(qmgr_stat_overflow(send_qid));