From d6745fa37cb08dbce9b39fc253528a7b4fc84c4e Mon Sep 17 00:00:00 2001 From: Manish Bhardwaj Date: Fri, 3 Nov 2023 20:08:06 +0000 Subject: [PATCH] nvidia: handle zero size sha buffer gracefully Using this patch we are fixing below issue on debug build where sg_init_one API is getting failed when zero sha buffer size is passed leading to below crash. [ 144.941668] kernel BUG at include/linux/scatterlist.h:163! [ 144.941673] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT_RT SMP [ 144.941766] CPU: 7 PID: 6178 Comm: nvvse_test Tainted: G W O 6.1.9-rt7-debug-rt-tegra #1 [ 144.941769] Hardware name: p3710-0010 (DT) [ 144.941770] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 144.941773] pc : sg_init_one+0x3c/0xb0 [ 144.941782] lr : 0xffff800001515e30 [ 144.941788] sp : ffff800022723cd0 [ 144.941788] x29: ffff800022723cd0 x28: 0000aaaabfca6300 x27: ffff0000af767850 [ 144.941791] x26: ffff0000af766900 x25: ffff800001518460 x24: ffff0000afd8f700 [ 144.941792] x23: ffff0000af767a00 x22: ffff0000afe81d80 x21: 0000000000000010 [ 144.941794] x20: 0001000000000010 x19: ffff800022723d88 x18: 0000000000000000 [ 144.941796] x17: 0000000000000000 x16: ffff800001515410 x15: 0000aaaabfca6300 [ 144.941798] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 144.941800] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 144.941802] x8 : ffff0000afd8f780 x7 : 0000000000000000 x6 : 0000000000000010 [ 144.941804] x5 : 0000000000000010 x4 : ffff0000afe81d80 x3 : 0000000000000000 [ 144.941806] x2 : 0000000000000000 x1 : 00007fffffffffff x0 : 0001000000000000 [ 144.941808] Call trace: [ 144.941810] sg_init_one+0x3c/0xb0 [ 144.941813] 0xffff800001515e30 [ 144.941815] __arm64_sys_ioctl+0xa8/0x100 [ 144.941820] invoke_syscall+0x40/0x120 [ 144.941825] el0_svc_common.constprop.0+0x40/0xf0 [ 144.941828] do_el0_svc+0x28/0xd0 [ 144.941830] el0_svc+0x28/0x90 [ 144.941835] el0t_64_sync_handler+0xc0/0xd0 [ 144.941837] el0t_64_sync+0x164/0x168 [ 144.941841] Code: b240bbe1 eb01029f f9000e7f 54000049 (d4210000) Bug 4355159 Change-Id: I1855c418ee41725f93b3c8d27bb0becbfcbfbcad Signed-off-by: Manish Bhardwaj Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3010170 GVS: Gerrit_Virtual_Submit Reviewed-by: Advaya Andhare Reviewed-by: Sandeep Trasi --- drivers/crypto/tegra-nvvse-cryptodev.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/tegra-nvvse-cryptodev.c b/drivers/crypto/tegra-nvvse-cryptodev.c index bee2a8ca..98a0d87b 100644 --- a/drivers/crypto/tegra-nvvse-cryptodev.c +++ b/drivers/crypto/tegra-nvvse-cryptodev.c @@ -318,7 +318,13 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, struct ahash_request *req; char *input_buffer = update_ctl->in_buff; struct scatterlist sg; - int ret = 0; + int ret = 0, buffer_size; + + if (update_ctl->input_buffer_size < 0) { + pr_err("%s: Invalid Msg size of %d Bytes\n", __func__, update_ctl->input_buffer_size); + ret = -EINVAL; + goto stop_sha; + } if (update_ctl->input_buffer_size > ivc_database.max_buffer_size[ctx->node_id]) { pr_err("%s: Msg size is greater than supported size of %d Bytes\n", __func__, @@ -330,7 +336,15 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, result_buff = sha_state->result_buff; req = sha_state->req; - sha_state->in_buf = kzalloc(update_ctl->input_buffer_size, GFP_KERNEL); + /* allocate buffer size as 1 to perform SHA operation + * if SHA buffer size passed is zero + */ + if (update_ctl->input_buffer_size == 0) + buffer_size = 1; + else + buffer_size = update_ctl->input_buffer_size; + + sha_state->in_buf = kzalloc(buffer_size, GFP_KERNEL); if (sha_state->in_buf == NULL) { ret = -ENOMEM; goto stop_sha;