Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-46068
CVE-2026-46068
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
The bounce buffers are allocated with __get_free_pages() using BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error path and nx842_crypto_free_ctx() release the buffers with free_page(). Use free_pages() with the matching order instead.
Affected products
1Patches
1080fd99d7c30ecrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 7.0.4via kernel-cna
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
5c07962fed66crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 6.18.27via kernel-cna
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b950fcce8a9be3..1f5005fcd69a94 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b950fcce8a9be3..1f5005fcd69a94 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
adb3faf2db1acrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumMar 11, 2026Fixed in 7.1-rc1via kernel-cna
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
f17a4850d1cecrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumFixed in 6.6.141via kernel-cna
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
910bb34b801dcrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumFixed in 6.12.88via kernel-cna
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
80fd99d7c30ecrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
adb3faf2db1acrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b61f2545e1652f..661568ce47f0e4 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
5c07962fed66crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten BlumMar 11, 2026via nvd-ref
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b950fcce8a9be3..1f5005fcd69a94 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index b950fcce8a9be3..1f5005fcd69a94 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); kfree(ctx); return ERR_PTR(-ENOMEM); } @@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p) struct nx842_crypto_ctx *ctx = p; kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); -- cgit 1.3-korg
910bb34b801dcrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
f17a4850d1cecrypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2 files changed · +8 −10
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
drivers/crypto/nx/nx-842.c+4 −5 modifieddiff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c index 82214cde2bcd96..3b82b6f67f8c40 100644 --- a/drivers/crypto/nx/nx-842.c +++ b/drivers/crypto/nx/nx-842.c @@ -112,8 +112,8 @@ int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver) ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); return -ENOMEM; } @@ -126,8 +126,8 @@ void nx842_crypto_exit(struct crypto_tfm *tfm) struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm); kfree(ctx->wmem); - free_page((unsigned long)ctx->sbounce); - free_page((unsigned long)ctx->dbounce); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); } EXPORT_SYMBOL_GPL(nx842_crypto_exit); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Mismatched memory deallocation: bounce buffers allocated with __get_free_pages(order 2) are freed with free_page() (which only releases one page) instead of free_pages() with the matching order."
Attack vector
An attacker triggers the bug by causing the NX-842 crypto compression context to be allocated and then freed (either via a failed allocation or normal teardown). When the kernel's crypto subsystem creates a compression context, nx842_crypto_alloc_ctx() (or nx842_crypto_init()) allocates sbounce and dbounce buffers using __get_free_pages() with BOUNCE_BUFFER_ORDER (order 2 = 4 pages). If any of the three allocations (wmem, sbounce, dbounce) fails, the error path frees already-allocated bounce buffers with free_page() instead of free_pages(), leaking 3 of the 4 pages per buffer. Similarly, nx842_crypto_free_ctx() (or nx842_crypto_exit()) frees the buffers with free_page() on normal teardown, causing the same partial leak. No special network path or authentication is required — any local user or workload that can instantiate and release the NX-842 crypto algorithm can trigger the memory leak.
Affected code
The bug is in drivers/crypto/nx/nx-842.c in the functions nx842_crypto_alloc_ctx() (or nx842_crypto_init() in older variants) and nx842_crypto_free_ctx() (or nx842_crypto_exit()). The bounce buffers sbounce and dbounce are allocated with __get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER) but freed with free_page() instead of free_pages(..., BOUNCE_BUFFER_ORDER) [patch_id=2659985].
What the fix does
The patch replaces free_page() with free_pages() and passes BOUNCE_BUFFER_ORDER as the second argument in both the allocation error path and the free function (nx842_crypto_free_ctx / nx842_crypto_exit) in drivers/crypto/nx/nx-842.c [patch_id=2659985]. This ensures that all 4 pages allocated by __get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER) are properly released, closing the memory leak. The same fix is applied across all stable backports [patch_id=2659984, patch_id=2659983, patch_id=2659982, patch_id=2659981].
Preconditions
- configThe kernel must be built with CONFIG_CRYPTO_DEV_NX_COMPRESS (or CONFIG_CRYPTO_DEV_NX) enabled and the NX-842 crypto compression algorithm must be available.
- inputAn attacker must be able to trigger allocation and teardown of the NX-842 crypto compression context, e.g. by using the crypto API to create and destroy a compression tfm.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/5c07962fed66e1238fad7635fa150570bd38b4c5nvd
- git.kernel.org/stable/c/80fd99d7c30ea889662d21f1b44d8fea4c83138dnvd
- git.kernel.org/stable/c/910bb34b801d39794e656f7d48414844b2bd354envd
- git.kernel.org/stable/c/adb3faf2db1a66d0f015b44ac909a32dfc7f2f9cnvd
- git.kernel.org/stable/c/f17a4850d1ce7c11cba8b1830b9bfedfede878bbnvd
News mentions
0No linked articles in our index yet.