Gitiles
Code Review Sign In
git01.mediatek.com / openwrt / feeds / mtk-openwrt-feeds / d66221dcea1ffeb129dbca29f0073135cdf8a700^! / .
commitd66221dcea1ffeb129dbca29f0073135cdf8a700[log] [tgz]
authordeveloper <developer@mediatek.com>Mon Apr 01 19:03:52 2024 +0800
committerdeveloper <developer@mediatek.com>Tue Apr 02 13:26:10 2024 +0800
treeb2a308f8dbd000a71af6e8da9688d7bac0fef9f3
parent4e9a15dd864d5cf1b0e5383a95eb69596008067f [diff]
[][openwrt][mt7988][crypto][Fix eip driver coverity]

[Description]
Fix coverity include following problems:
Resource leak
Data race condition
Uninitialized pointer read
CERT-C Expression
Logically dead code
Dereference null return value
Double free

[Release-log]
N/A


Change-Id: I26e51f392665decdb4742db0561dfd2d1b1cc5ae
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/8887067

diff --git a/feed/kernel/crypto-eip/src/ddk-wrapper.c b/feed/kernel/crypto-eip/src/ddk-wrapper.c
index b3c5b90..ffc0df1 100644
--- a/feed/kernel/crypto-eip/src/ddk-wrapper.c
+++ b/feed/kernel/crypto-eip/src/ddk-wrapper.c

@@ -265,9 +265,13 @@
 	int ret = 0;
 
 	while (true) {
-		if (list_empty(&result_list))
+		spin_lock_bh(&add_lock);
+		if (list_empty(&result_list)) {
+			spin_unlock_bh(&add_lock);
 			return;
+		}
 		rd = list_first_entry(&result_list, struct mtk_crypto_result, list);
+		spin_unlock_bh(&add_lock);
 
 		if (crypto_pe_get_one(&OutTokenDscr, OutputToken, &Res) < 1) {
 			PEC_NotifyFunction_t CBFunc;
@@ -859,12 +863,14 @@
 		mtk_req->nr_dst = mtk_req->nr_src;
 		if (unlikely((totlen_src || totlen_dst) && (mtk_req->nr_src <= 0))) {
 			CRYPTO_ERR("In-place buffer not large enough\n");
+			kfree(TCRData);
 			return -EINVAL;
 		}
 		dma_map_sg(crypto_dev, src, mtk_req->nr_src, DMA_BIDIRECTIONAL);
 	} else {
 		if (unlikely(totlen_src && (mtk_req->nr_src <= 0))) {
 			CRYPTO_ERR("Source buffer not large enough\n");
+			kfree(TCRData);
 			return -EINVAL;
 		}
 		dma_map_sg(crypto_dev, src, mtk_req->nr_src, DMA_TO_DEVICE);
@@ -872,6 +878,7 @@
 		if (unlikely(totlen_dst && (mtk_req->nr_dst <= 0))) {
 			CRYPTO_ERR("Dest buffer not large enough\n");
 			dma_unmap_sg(crypto_dev, src, mtk_req->nr_src, DMA_TO_DEVICE);
+			kfree(TCRData);
 			return -EINVAL;
 		}
 		dma_map_sg(crypto_dev, dst, mtk_req->nr_dst, DMA_FROM_DEVICE);
@@ -2697,8 +2704,6 @@
 		}
 		params.AuthKey1_p = InnerDigest;
 		params.AuthKey2_p = OuterDigest;
-		InnerDigest = NULL;
-		OuterDigest = NULL;
 #endif
 	}
 

diff --git a/feed/kernel/crypto-eip/src/lookaside-cipher.c b/feed/kernel/crypto-eip/src/lookaside-cipher.c
index 3069dfc..df46d47 100644
--- a/feed/kernel/crypto-eip/src/lookaside-cipher.c
+++ b/feed/kernel/crypto-eip/src/lookaside-cipher.c

@@ -98,18 +98,20 @@
 	uint8_t *temp;
 
 	if (ctx->mode == MTK_CRYPTO_MODE_CCM && mtk_req->direction == MTK_CRYPTO_DECRYPT) {
-		if (mtk_req->direction == MTK_CRYPTO_ENCRYPT)
-			pkt_size = req->cryptlen + req->assoclen + crypto_aead_authsize(aead);
-		else
-			pkt_size = req->cryptlen + req->assoclen - crypto_aead_authsize(aead);
+		pkt_size = req->cryptlen + req->assoclen - crypto_aead_authsize(aead);
 
 		temp = kmalloc(pkt_size, GFP_KERNEL);
+		if (!temp) {
+			CRYPTO_ERR("no enough memory for result\n");
+			goto free_dma;
+		}
 		memset(temp, 0, pkt_size);
 		sg_copy_to_buffer(req->dst, mtk_req->nr_dst, temp + 8, pkt_size - 8);
 		sg_copy_from_buffer(req->dst, mtk_req->nr_dst, temp, pkt_size);
 		kfree(temp);
 	}
 
+free_dma:
 	if (req->src == req->dst) {
 		dma_unmap_sg(crypto_dev, req->src, mtk_req->nr_src, DMA_BIDIRECTIONAL);
 	} else {
@@ -634,6 +636,9 @@
 	struct crypto_aes_ctx aes;
 	int err = -EINVAL, i;
 
+	memset(&istate, 0, sizeof(struct mtk_crypto_ahash_export_state));
+	memset(&ostate, 0, sizeof(struct mtk_crypto_ahash_export_state));
+
 	if (unlikely(crypto_authenc_extractkeys(&keys, key, len)))
 		goto badkey;
 

diff --git a/feed/kernel/crypto-eip/src/lookaside-hash.c b/feed/kernel/crypto-eip/src/lookaside-hash.c
index f831006..8e0ed27 100644
--- a/feed/kernel/crypto-eip/src/lookaside-hash.c
+++ b/feed/kernel/crypto-eip/src/lookaside-hash.c

@@ -49,7 +49,7 @@
 	int areq_shift;
 	u64 queued;
 	u64 len;
-	bool ret;
+	bool ret = 0;
 	uint8_t *cur_req;
 	int i;
 
@@ -97,7 +97,7 @@
 		sg_copy_to_buffer(areq->src, sg_nents(areq->src), cur_req + cache_len, queued);
 
 	if (unlikely(req->xcbcmac)) {
-		int pad_size;
+		int pad_size = 0;
 		int offset;
 		int new;
 
@@ -148,7 +148,6 @@
 	if (ret) {
 		if (req->sa_pointer)
 			crypto_free_sa(req->sa_pointer);
-		kfree(req->token_context);
 		CRYPTO_ERR("Fail on ahash_req process\n");
 		goto exit;
 	}
@@ -612,7 +611,7 @@
 free_ipad:
 	kfree(ipad);
 free_request:
-	ahash_request_free(areq);
+	kfree(areq);
 free_ahash:
 	crypto_free_ahash(tfm);
 
@@ -662,7 +661,7 @@
 free_ipad:
 	kfree(ipad);
 free_request:
-	ahash_request_free(areq);
+	kfree(areq);
 free_ahash:
 	crypto_free_ahash(tfm);
 
@@ -677,6 +676,9 @@
 	struct mtk_crypto_ahash_export_state istate, ostate, zeroi;
 	int ret;
 
+	memset(&zeroi, 0, sizeof(struct mtk_crypto_ahash_export_state));
+	memset(&istate, 0, sizeof(struct mtk_crypto_ahash_export_state));
+	memset(&ostate, 0, sizeof(struct mtk_crypto_ahash_export_state));
 	ret = mtk_crypto_hmac_setkey(alg, key, keylen, &istate, &ostate);
 	if (ret)
 		return ret;