[PATCH 4/6] crypto: eip93: use request-local SA records for cipher requests

[Jihong Min]

Cipher and AEAD requests keep mutable direction and copy flags in the SA
record. Updating the tfm-level SA record for decrypt requests can leak
those settings into concurrent requests using the same transform.

Copy the prepared SA record into the request context and apply the
request-specific flags there. Map that request-local record for DMA, then
unmap it on normal completion and validation failures.

Fixes: 9739f5f93b78 ("crypto: eip93 - Add Inside Secure SafeXcel EIP-93 crypto engine support")
Reported-by: Benjamin Larsson <benjamin.larsson@xxxxxxxxxx>
Suggested-by: Benjamin Larsson <benjamin.larsson@xxxxxxxxxx>
Assisted-by: Codex:gpt-5.5
Signed-off-by: Jihong Min <hurryman2212@xxxxxxxxx>
---
 .../crypto/inside-secure/eip93/eip93-aead.c   | 34 +++++++++++++------
 .../crypto/inside-secure/eip93/eip93-cipher.c | 34 ++++++++++++-------
 .../crypto/inside-secure/eip93/eip93-cipher.h |  3 +-
 .../crypto/inside-secure/eip93/eip93-common.c |  9 +++++
 4 files changed, 55 insertions(+), 25 deletions(-)

diff --git a/drivers/crypto/inside-secure/eip93/eip93-aead.c b/drivers/crypto/inside-secure/eip93/eip93-aead.c
index 2bbd0af7b0e0..3b2edb012048 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-aead.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-aead.c
@@ -42,12 +42,18 @@ void eip93_aead_handle_result(struct crypto_async_request *async, int err)
 
 static int eip93_aead_send_req(struct crypto_async_request *async)
 {
+	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(async->tfm);
 	struct aead_request *req = aead_request_cast(async);
 	struct eip93_cipher_reqctx *rctx = aead_request_ctx(req);
 	int err;
 
 	err = check_valid_request(rctx);
 	if (err) {
+		if (rctx->sa_record_base) {
+			dma_unmap_single(ctx->eip93->dev, rctx->sa_record_base,
+					 sizeof(rctx->sa_record), DMA_TO_DEVICE);
+			rctx->sa_record_base = 0;
+		}
 		aead_request_complete(req, err);
 		return err;
 	}
@@ -81,8 +87,6 @@ static void eip93_aead_cra_exit(struct crypto_tfm *tfm)
 {
 	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
 
-	dma_unmap_single(ctx->eip93->dev, ctx->sa_record_base,
-			 sizeof(*ctx->sa_record), DMA_TO_DEVICE);
 	kfree(ctx->sa_record);
 }
 
@@ -191,11 +195,24 @@ static int eip93_aead_crypt(struct aead_request *req)
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
 	int ret;
 
-	ctx->sa_record_base = dma_map_single(ctx->eip93->dev, ctx->sa_record,
-					     sizeof(*ctx->sa_record), DMA_TO_DEVICE);
-	ret = dma_mapping_error(ctx->eip93->dev, ctx->sa_record_base);
-	if (ret)
+	memcpy(&rctx->sa_record, ctx->sa_record, sizeof(rctx->sa_record));
+	if (IS_DECRYPT(rctx->flags)) {
+		rctx->sa_record.sa_cmd0_word |= EIP93_SA_CMD_DIRECTION_IN;
+		rctx->sa_record.sa_cmd1_word &= ~(EIP93_SA_CMD_COPY_PAD |
+						   EIP93_SA_CMD_COPY_DIGEST);
+	} else {
+		rctx->sa_record.sa_cmd0_word &= ~EIP93_SA_CMD_DIRECTION_IN;
+		rctx->sa_record.sa_cmd1_word |= EIP93_SA_CMD_COPY_PAD |
+						 EIP93_SA_CMD_COPY_DIGEST;
+	}
+
+	rctx->sa_record_base = dma_map_single(ctx->eip93->dev, &rctx->sa_record,
+					      sizeof(rctx->sa_record), DMA_TO_DEVICE);
+	ret = dma_mapping_error(ctx->eip93->dev, rctx->sa_record_base);
+	if (ret) {
+		rctx->sa_record_base = 0;
 		return ret;
+	}
 
 	rctx->textsize = req->cryptlen;
 	rctx->blksize = ctx->blksize;
@@ -205,7 +222,6 @@ static int eip93_aead_crypt(struct aead_request *req)
 	rctx->sg_dst = req->dst;
 	rctx->ivsize = crypto_aead_ivsize(aead);
 	rctx->desc_flags = EIP93_DESC_AEAD;
-	rctx->sa_record_base = ctx->sa_record_base;
 
 	if (IS_DECRYPT(rctx->flags))
 		rctx->textsize -= rctx->authsize;
@@ -238,10 +254,6 @@ static int eip93_aead_decrypt(struct aead_request *req)
 	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
 	struct eip93_cipher_reqctx *rctx = aead_request_ctx(req);
 
-	ctx->sa_record->sa_cmd0_word |= EIP93_SA_CMD_DIRECTION_IN;
-	ctx->sa_record->sa_cmd1_word &= ~(EIP93_SA_CMD_COPY_PAD |
-					  EIP93_SA_CMD_COPY_DIGEST);
-
 	rctx->flags = ctx->flags;
 	rctx->flags |= EIP93_DECRYPT;
 	if (ctx->set_assoc) {
diff --git a/drivers/crypto/inside-secure/eip93/eip93-cipher.c b/drivers/crypto/inside-secure/eip93/eip93-cipher.c
index 4dd7ab7503e8..66b85781ef93 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-cipher.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-cipher.c
@@ -32,6 +32,7 @@ void eip93_skcipher_handle_result(struct crypto_async_request *async, int err)
 
 static int eip93_skcipher_send_req(struct crypto_async_request *async)
 {
+	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(async->tfm);
 	struct skcipher_request *req = skcipher_request_cast(async);
 	struct eip93_cipher_reqctx *rctx = skcipher_request_ctx(req);
 	int err;
@@ -39,6 +40,11 @@ static int eip93_skcipher_send_req(struct crypto_async_request *async)
 	err = check_valid_request(rctx);
 
 	if (err) {
+		if (rctx->sa_record_base) {
+			dma_unmap_single(ctx->eip93->dev, rctx->sa_record_base,
+					 sizeof(rctx->sa_record), DMA_TO_DEVICE);
+			rctx->sa_record_base = 0;
+		}
 		skcipher_request_complete(req, err);
 		return err;
 	}
@@ -72,8 +78,6 @@ static void eip93_skcipher_cra_exit(struct crypto_tfm *tfm)
 {
 	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
 
-	dma_unmap_single(ctx->eip93->dev, ctx->sa_record_base,
-			 sizeof(*ctx->sa_record), DMA_TO_DEVICE);
 	kfree(ctx->sa_record);
 }
 
@@ -133,7 +137,7 @@ static int eip93_skcipher_setkey(struct crypto_skcipher *ctfm, const u8 *key,
 	return 0;
 }
 
-static int eip93_skcipher_crypt(struct skcipher_request *req)
+static int eip93_skcipher_crypt(struct skcipher_request *req, bool encrypt)
 {
 	struct eip93_cipher_reqctx *rctx = skcipher_request_ctx(req);
 	struct crypto_async_request *async = &req->base;
@@ -153,11 +157,19 @@ static int eip93_skcipher_crypt(struct skcipher_request *req)
 				crypto_skcipher_blocksize(skcipher)))
 			return -EINVAL;
 
-	ctx->sa_record_base = dma_map_single(ctx->eip93->dev, ctx->sa_record,
-					     sizeof(*ctx->sa_record), DMA_TO_DEVICE);
-	ret = dma_mapping_error(ctx->eip93->dev, ctx->sa_record_base);
-	if (ret)
+	memcpy(&rctx->sa_record, ctx->sa_record, sizeof(rctx->sa_record));
+	if (encrypt)
+		rctx->sa_record.sa_cmd0_word &= ~EIP93_SA_CMD_DIRECTION_IN;
+	else
+		rctx->sa_record.sa_cmd0_word |= EIP93_SA_CMD_DIRECTION_IN;
+
+	rctx->sa_record_base = dma_map_single(ctx->eip93->dev, &rctx->sa_record,
+					      sizeof(rctx->sa_record), DMA_TO_DEVICE);
+	ret = dma_mapping_error(ctx->eip93->dev, rctx->sa_record_base);
+	if (ret) {
+		rctx->sa_record_base = 0;
 		return ret;
+	}
 
 	rctx->assoclen = 0;
 	rctx->textsize = req->cryptlen;
@@ -167,7 +179,6 @@ static int eip93_skcipher_crypt(struct skcipher_request *req)
 	rctx->ivsize = crypto_skcipher_ivsize(skcipher);
 	rctx->blksize = ctx->blksize;
 	rctx->desc_flags = EIP93_DESC_SKCIPHER;
-	rctx->sa_record_base = ctx->sa_record_base;
 
 	return eip93_skcipher_send_req(async);
 }
@@ -181,22 +192,19 @@ static int eip93_skcipher_encrypt(struct skcipher_request *req)
 	rctx->flags = tmpl->flags;
 	rctx->flags |= EIP93_ENCRYPT;
 
-	return eip93_skcipher_crypt(req);
+	return eip93_skcipher_crypt(req, true);
 }
 
 static int eip93_skcipher_decrypt(struct skcipher_request *req)
 {
-	struct eip93_crypto_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
 	struct eip93_cipher_reqctx *rctx = skcipher_request_ctx(req);
 	struct eip93_alg_template *tmpl = container_of(req->base.tfm->__crt_alg,
 				struct eip93_alg_template, alg.skcipher.base);
 
-	ctx->sa_record->sa_cmd0_word |= EIP93_SA_CMD_DIRECTION_IN;
-
 	rctx->flags = tmpl->flags;
 	rctx->flags |= EIP93_DECRYPT;
 
-	return eip93_skcipher_crypt(req);
+	return eip93_skcipher_crypt(req, false);
 }
 
 /* Available algorithms in this module */
diff --git a/drivers/crypto/inside-secure/eip93/eip93-cipher.h b/drivers/crypto/inside-secure/eip93/eip93-cipher.h
index 47e4e84ff14e..e9612696c388 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-cipher.h
+++ b/drivers/crypto/inside-secure/eip93/eip93-cipher.h
@@ -9,6 +9,7 @@
 #define _EIP93_CIPHER_H_
 
 #include "eip93-main.h"
+#include "eip93-regs.h"
 
 struct eip93_crypto_ctx {
 	struct eip93_device		*eip93;
@@ -16,7 +17,6 @@ struct eip93_crypto_ctx {
 	struct sa_record		*sa_record;
 	u32				sa_nonce;
 	int				blksize;
-	dma_addr_t			sa_record_base;
 	/* AEAD specific */
 	unsigned int			authsize;
 	unsigned int			assoclen;
@@ -32,6 +32,7 @@ struct eip93_cipher_reqctx {
 	unsigned int			textsize;
 	unsigned int			assoclen;
 	unsigned int			authsize;
+	struct sa_record		sa_record __aligned(CRYPTO_DMA_ALIGN);
 	dma_addr_t			sa_record_base;
 	struct sa_state			*sa_state;
 	dma_addr_t			sa_state_base;
diff --git a/drivers/crypto/inside-secure/eip93/eip93-common.c b/drivers/crypto/inside-secure/eip93/eip93-common.c
index ed46730c36bc..f422c93748c9 100644
--- a/drivers/crypto/inside-secure/eip93/eip93-common.c
+++ b/drivers/crypto/inside-secure/eip93/eip93-common.c
@@ -637,6 +637,10 @@ int eip93_send_req(struct crypto_async_request *async,
 				 DMA_TO_DEVICE);
 free_sa_state:
 	kfree(rctx->sa_state);
+	if (rctx->sa_record_base)
+		dma_unmap_single(eip93->dev, rctx->sa_record_base,
+				 sizeof(rctx->sa_record), DMA_TO_DEVICE);
+	rctx->sa_record_base = 0;
 
 	return err;
 }
@@ -693,6 +697,11 @@ void eip93_handle_result(struct eip93_device *eip93, struct eip93_cipher_reqctx
 				 sizeof(*rctx->sa_state_ctr),
 				 DMA_FROM_DEVICE);
 
+	if (rctx->sa_record_base)
+		dma_unmap_single(eip93->dev, rctx->sa_record_base,
+				 sizeof(rctx->sa_record), DMA_TO_DEVICE);
+	rctx->sa_record_base = 0;
+
 	if (rctx->sa_state)
 		dma_unmap_single(eip93->dev, rctx->sa_state_base,
 				 sizeof(*rctx->sa_state),
-- 
2.53.0