CVE-2025-38300

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()<br /> <br /> Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():<br /> <br /> 1] If dma_map_sg() fails for areq-&gt;dst, the device driver would try to free<br /> DMA memory it has not allocated in the first place. To fix this, on the<br /> "theend_sgs" error path, call dma unmap only if the corresponding dma<br /> map was successful.<br /> <br /> 2] If the dma_map_single() call for the IV fails, the device driver would<br /> try to free an invalid DMA memory address on the "theend_iv" path:<br /> ------------[ cut here ]------------<br /> DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address<br /> WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90<br /> Modules linked in: skcipher_example(O+)<br /> CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT<br /> Tainted: [O]=OOT_MODULE<br /> Hardware name: OrangePi Zero2 (DT)<br /> pc : check_unmap+0x123c/0x1b90<br /> lr : check_unmap+0x123c/0x1b90<br /> ...<br /> Call trace:<br /> check_unmap+0x123c/0x1b90 (P)<br /> debug_dma_unmap_page+0xac/0xc0<br /> dma_unmap_page_attrs+0x1f4/0x5fc<br /> sun8i_ce_cipher_do_one+0x1bd4/0x1f40<br /> crypto_pump_work+0x334/0x6e0<br /> kthread_worker_fn+0x21c/0x438<br /> kthread+0x374/0x664<br /> ret_from_fork+0x10/0x20<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> To fix this, check for !dma_mapping_error() before calling<br /> dma_unmap_single() on the "theend_iv" path.