Commit 8e409fe1 authored by LABBE Corentin's avatar LABBE Corentin Committed by Herbert Xu

crypto: talitos - check return value of sg_nents_for_len

The sg_nents_for_len() function could fail, this patch add a check for
its return value.
Signed-off-by: default avatarLABBE Corentin <clabbe.montjoie@gmail.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent c22dafb3
...@@ -1216,6 +1216,7 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, ...@@ -1216,6 +1216,7 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
struct talitos_private *priv = dev_get_drvdata(dev); struct talitos_private *priv = dev_get_drvdata(dev);
bool is_sec1 = has_ftr_sec1(priv); bool is_sec1 = has_ftr_sec1(priv);
int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN; int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN;
void *err;
if (cryptlen + authsize > max_len) { if (cryptlen + authsize > max_len) {
dev_err(dev, "length exceeds h/w max limit\n"); dev_err(dev, "length exceeds h/w max limit\n");
...@@ -1228,14 +1229,29 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, ...@@ -1228,14 +1229,29 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
if (!dst || dst == src) { if (!dst || dst == src) {
src_nents = sg_nents_for_len(src, src_nents = sg_nents_for_len(src,
assoclen + cryptlen + authsize); assoclen + cryptlen + authsize);
if (src_nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
err = ERR_PTR(-EINVAL);
goto error_sg;
}
src_nents = (src_nents == 1) ? 0 : src_nents; src_nents = (src_nents == 1) ? 0 : src_nents;
dst_nents = dst ? src_nents : 0; dst_nents = dst ? src_nents : 0;
} else { /* dst && dst != src*/ } else { /* dst && dst != src*/
src_nents = sg_nents_for_len(src, assoclen + cryptlen + src_nents = sg_nents_for_len(src, assoclen + cryptlen +
(encrypt ? 0 : authsize)); (encrypt ? 0 : authsize));
if (src_nents < 0) {
dev_err(dev, "Invalid number of src SG.\n");
err = ERR_PTR(-EINVAL);
goto error_sg;
}
src_nents = (src_nents == 1) ? 0 : src_nents; src_nents = (src_nents == 1) ? 0 : src_nents;
dst_nents = sg_nents_for_len(dst, assoclen + cryptlen + dst_nents = sg_nents_for_len(dst, assoclen + cryptlen +
(encrypt ? authsize : 0)); (encrypt ? authsize : 0));
if (dst_nents < 0) {
dev_err(dev, "Invalid number of dst SG.\n");
err = ERR_PTR(-EINVAL);
goto error_sg;
}
dst_nents = (dst_nents == 1) ? 0 : dst_nents; dst_nents = (dst_nents == 1) ? 0 : dst_nents;
} }
...@@ -1260,11 +1276,9 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, ...@@ -1260,11 +1276,9 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
edesc = kmalloc(alloc_len, GFP_DMA | flags); edesc = kmalloc(alloc_len, GFP_DMA | flags);
if (!edesc) { if (!edesc) {
if (iv_dma)
dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE);
dev_err(dev, "could not allocate edescriptor\n"); dev_err(dev, "could not allocate edescriptor\n");
return ERR_PTR(-ENOMEM); err = ERR_PTR(-ENOMEM);
goto error_sg;
} }
edesc->src_nents = src_nents; edesc->src_nents = src_nents;
...@@ -1277,6 +1291,10 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev, ...@@ -1277,6 +1291,10 @@ static struct talitos_edesc *talitos_edesc_alloc(struct device *dev,
DMA_BIDIRECTIONAL); DMA_BIDIRECTIONAL);
return edesc; return edesc;
error_sg:
if (iv_dma)
dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE);
return err;
} }
static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv,
...@@ -1830,11 +1848,16 @@ static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes) ...@@ -1830,11 +1848,16 @@ static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
unsigned int nbytes_to_hash; unsigned int nbytes_to_hash;
unsigned int to_hash_later; unsigned int to_hash_later;
unsigned int nsg; unsigned int nsg;
int nents;
if (!req_ctx->last && (nbytes + req_ctx->nbuf <= blocksize)) { if (!req_ctx->last && (nbytes + req_ctx->nbuf <= blocksize)) {
/* Buffer up to one whole block */ /* Buffer up to one whole block */
sg_copy_to_buffer(areq->src, nents = sg_nents_for_len(areq->src, nbytes);
sg_nents_for_len(areq->src, nbytes), if (nents < 0) {
dev_err(ctx->dev, "Invalid number of src SG.\n");
return nents;
}
sg_copy_to_buffer(areq->src, nents,
req_ctx->buf + req_ctx->nbuf, nbytes); req_ctx->buf + req_ctx->nbuf, nbytes);
req_ctx->nbuf += nbytes; req_ctx->nbuf += nbytes;
return 0; return 0;
...@@ -1867,7 +1890,11 @@ static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes) ...@@ -1867,7 +1890,11 @@ static int ahash_process_req(struct ahash_request *areq, unsigned int nbytes)
req_ctx->psrc = areq->src; req_ctx->psrc = areq->src;
if (to_hash_later) { if (to_hash_later) {
int nents = sg_nents_for_len(areq->src, nbytes); nents = sg_nents_for_len(areq->src, nbytes);
if (nents < 0) {
dev_err(ctx->dev, "Invalid number of src SG.\n");
return nents;
}
sg_pcopy_to_buffer(areq->src, nents, sg_pcopy_to_buffer(areq->src, nents,
req_ctx->bufnext, req_ctx->bufnext,
to_hash_later, to_hash_later,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment