HMAC keys often need to be reduced to under the size of a digest to
be used. The driver does this psuedo-synchronously through the use of
hash_digest_key(), which builds a sequence pointered job descriptor to
perform this function.
When this function built the job descriptor, it correctly accounted for the
number of instructions and number of pointers that would go into its
construction. However, it failed to account for the fact that both the
sequence in and out pointers used extended lengths, adding 8 more bytes to
the required job descriptor. This caused the descriptor to overrun the
allocated buffer by that amount, resulting in memory corruptions.
Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
Signed-off-by: Terry Lv <r65388@freescale.com>
dma_addr_t src_dma, dst_dma;
int ret = 0;
- desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA);
+ /*
+ * Hashing descriptor is 6 commands (including header), 2 pointers,
+ * and 2 extended lengths
+ */
+ desc = kmalloc((CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2 +
+ CAAM_EXTLEN_SZ * 2),
+ GFP_KERNEL | GFP_DMA);
init_job_desc(desc, 0);
#define IMMEDIATE (1 << 23)
#define CAAM_CMD_SZ sizeof(u32)
#define CAAM_PTR_SZ sizeof(dma_addr_t)
+#define CAAM_EXTLEN_SZ sizeof(u32)
#define CAAM_DESC_BYTES_MAX (CAAM_CMD_SZ * MAX_CAAM_DESCSIZE)
#ifdef DEBUG
projects / karo-tx-linux.git / commitdiff