CVE-2025-38300

In the Linux kernel, the following vulnerability has been resolved:

crypto: sun8i-ce-cipher - fix error handling in sun8icecipher_prepare()

Fix two DMA cleanup issues on the error path in sun8icecipher_prepare():

1] If dmamapsg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the "theend_sgs" error path, call dma unmap only if the corresponding dma map was successful.

2] If the dmamapsingle() call for the IV fails, the device driver would try to free an invalid DMA memory address on the "theendiv" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 checkunmap+0x123c/0x1b90 Modules linked in: skcipherexample(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOTMODULE Hardware name: OrangePi Zero2 (DT) pc : checkunmap+0x123c/0x1b90 lr : checkunmap+0x123c/0x1b90 ... Call trace: checkunmap+0x123c/0x1b90 (P) debugdmaunmappage+0xac/0xc0 dmaunmappageattrs+0x1f4/0x5fc sun8icecipherdoone+0x1bd4/0x1f40 cryptopumpwork+0x334/0x6e0 kthreadworkerfn+0x21c/0x438 kthread+0x374/0x664 retfrom_fork+0x10/0x20 ---[ end trace 0000000000000000 ]---

To fix this, check for !dmamappingerror() before calling dmaunmapsingle() on the "theend_iv" path.