The bounce buffers are allocated with __get_free_pages() using
BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
path and nx842_crypto_free_ctx() release the buffers with free_page().
Use free_pages() with the matching order instead.

Also, since the scomp conversion, nx842_crypto_alloc_ctx() allocates the
context separately, but nx842_crypto_free_ctx() never releases it. Add
the missing kfree(ctx) in nx842_crypto_free_ctx(), and reuse
nx842_crypto_free_ctx() in the allocation error path.

Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 drivers/crypto/nx/nx-842.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/drivers/crypto/nx/nx-842.c b/drivers/crypto/nx/nx-842.c
index b61f2545e165..a61208cbcd27 100644
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -115,10 +115,7 @@ void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
 	ctx->sbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
 	ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
 	if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
-		kfree(ctx->wmem);
-		free_page((unsigned long)ctx->sbounce);
-		free_page((unsigned long)ctx->dbounce);
-		kfree(ctx);
+		nx842_crypto_free_ctx(ctx);
 		return ERR_PTR(-ENOMEM);
 	}
 
@@ -131,8 +128,9 @@ void nx842_crypto_free_ctx(void *p)
 	struct nx842_crypto_ctx *ctx = p;
 
 	kfree(ctx->wmem);
-	free_page((unsigned long)ctx->sbounce);
-	free_page((unsigned long)ctx->dbounce);
+	free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+	free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
+	kfree(ctx);
 }
 EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);

Hi Thorsten,

On Wed, 11 Mar 2026, at 16:09, Thorsten Blum wrote:
> The bounce buffers are allocated with __get_free_pages() using
> BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
> path and nx842_crypto_free_ctx() release the buffers with free_page().
> Use free_pages() with the matching order instead.
>
> Also, since the scomp conversion, nx842_crypto_alloc_ctx() allocates the
> context separately, but nx842_crypto_free_ctx() never releases it. Add
> the missing kfree(ctx) in nx842_crypto_free_ctx(), and reuse
> nx842_crypto_free_ctx() in the allocation error path.
>
> Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
> Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API")

Thanks for the fixes.

Given that you are fixing two separate issues that were introduced ~10 years apart, I think it would be better to split this up.

On 11. Mar 2026, at 16:16, Ard Biesheuvel wrote:
> On Wed, 11 Mar 2026, at 16:09, Thorsten Blum wrote:
>> The bounce buffers are allocated with __get_free_pages() using
>> BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
>> path and nx842_crypto_free_ctx() release the buffers with free_page().
>> Use free_pages() with the matching order instead.
>> 
>> Also, since the scomp conversion, nx842_crypto_alloc_ctx() allocates the
>> context separately, but nx842_crypto_free_ctx() never releases it. Add
>> the missing kfree(ctx) in nx842_crypto_free_ctx(), and reuse
>> nx842_crypto_free_ctx() in the allocation error path.
>> 
>> Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
>> Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API")
> 
> Thanks for the fixes.
> 
> Given that you are fixing two separate issues that were introduced ~10 years apart, I think it would be better to split this up.

Yes, good idea. I submitted them separately here:

https://lore.kernel.org/lkml/20260311155645.397083-4-thorsten.blum@linux.dev/

Thanks,
Thorsten