[PATCH 0/4] crypto: Port ecc.c fixes from kernel

[PATCH 0/4] crypto: Port ecc.c fixes from kernel

[Jonas Rebmann]

We've been working on processes for porting fixes from copied code in
winter and introduced Origin-URL references [1] during those
discussions.

Now thanks to Lukas we're reminded to put this to practice.

This series is a proposal on future standard practice of porting such
patches: Update the Origin-URL in every ported patch, mention the origin
project in the "cherry picked from" line. Handle like a backport for all
other regards.

Note that the most recent ported patch is linux commit c66e0a273f22
("crypto: ecc - Streamline alloc_point and remove
{alloc,free}_digits_space") but Origin-URL is pointing at commit
d6ea871d73ab ("crypto: ecc - Use crypto_stdrng_get_bytes()"), which I
intentionally skipped when porting as not applicable to barebox (we have
a different random bytes API). This is so that the file is now
recognizable as up to date until further updates on linux master.

To establish these processes, we should soon underscore them with some
tooling like Ahmad did in [1].

[1] https://lore.kernel.org/barebox/20251218151807.691382-1-a.fatoum@pengutronix.de/

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
Jonas Rebmann (1):
      crypto: ecc: Add Origin-URL to document kernel revision

Lukas Wunner (1):
      crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()

Stefan Berger (1):
      crypto: ecc - Fix off-by-one missing to clear most significant digit

Thorsten Blum (1):
      crypto: ecc - Streamline alloc_point and remove {alloc,free}_digits_space

 crypto/ecc.c         | 32 ++++++++++++--------------------
 include/linux/math.h | 12 ++++++++++++
 2 files changed, 24 insertions(+), 20 deletions(-)
---
base-commit: c7bdd78be7cc9449a49a429a342c83f8085b1475
change-id: 20260515-barebox-port-ecc-1d6e25c9608c

Best regards,
--  
Jonas Rebmann <jre@pengutronix.de>

[PATCH 1/4] crypto: ecc: Add Origin-URL to document kernel revision

[Jonas Rebmann]

To systematically port fixes from the linux kernel, add
Origin-URL-references[1] to crypto/ecc.c which was copied from the linux
kernel in commit d2cc4152f483 ("Add elliptic curve cryptography (ECC)
helper functions").

[1]: https://lore.kernel.org/barebox/20251218151807.691382-1-a.fatoum@pengutronix.de/

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 crypto/ecc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index c3d71627a6..77068ebfbd 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1,3 +1,4 @@
+// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=c6ab5c915da460c0397960af3c308386c3f3247b
 /*
  * Copyright (c) 2013, 2014 Kenneth MacKay. All rights reserved.
  * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>

-- 
2.54.0.129.g3edf2eeba9

[PATCH 2/4] crypto: ecc - Fix off-by-one missing to clear most significant digit

[Jonas Rebmann]

From: Stefan Berger <stefanb@linux.ibm.com>

Fix an off-by-one error where the most significant digit was not
initialized leading to signature verification failures by the testmgr.

Example: If a curve requires ndigits (=9) and diff (=2) indicates that
2 digits need to be set to zero then start with digit 'ndigits - diff' (=7)
and clear 'diff' digits starting from there, so 7 and 8.

Reported-by: Venkat Rao Bagalkote <venkat88@linux.vnet.ibm.com>
Closes: https://lore.kernel.org/linux-crypto/619bc2de-b18a-4939-a652-9ca886bf6349@linux.ibm.com/T/#m045d8812409ce233c17fcdb8b88b6629c671f9f4
Fixes: 2fd2a82ccbfc ("crypto: ecdsa - Use ecc_digits_from_bytes to create hash digits array")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Venkat Rao Bagalkote <venkat88@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from linux commit 1dcf865d3bf5bff45e93cb2410911b3428dacb78)
Reported-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 crypto/ecc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 77068ebfbd..01003d8a38 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1,4 +1,4 @@
-// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=c6ab5c915da460c0397960af3c308386c3f3247b
+// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=1dcf865d3bf5bff45e93cb2410911b3428dacb78
 /*
  * Copyright (c) 2013, 2014 Kenneth MacKay. All rights reserved.
  * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
@@ -66,7 +66,7 @@ void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
 	/* diff > 0: not enough input bytes: set most significant digits to 0 */
 	if (diff > 0) {
 		ndigits -= diff;
-		memset(&out[ndigits - 1], 0, diff * sizeof(u64));
+		memset(&out[ndigits], 0, diff * sizeof(u64));
 	}
 
 	if (o) {

-- 
2.54.0.129.g3edf2eeba9

[PATCH 3/4] crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()

[Jonas Rebmann]

From: Lukas Wunner <lukas@wunner.de>

Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa
implementation's ->key_size() callback returns an unusually large value.
Herbert instead suggests (for a division by 8):

  X / 8 + !!(X & 7)

Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and
use it in lieu of DIV_ROUND_UP() for ->key_size() return values.

Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"
parameter is a ->key_size() return value in some instances, or a
user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

Link: https://lore.kernel.org/r/Z3iElsILmoSu6FuC@gondor.apana.org.au/
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from linux commit b16510a530d1e6ab9683f04f8fb34f2e0f538275)
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 crypto/ecc.c         |  4 ++--
 include/linux/math.h | 12 ++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index 01003d8a38..a228ae1a66 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1,4 +1,4 @@
-// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=1dcf865d3bf5bff45e93cb2410911b3428dacb78
+// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=b16510a530d1e6ab9683f04f8fb34f2e0f538275
 /*
  * Copyright (c) 2013, 2014 Kenneth MacKay. All rights reserved.
  * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
@@ -59,7 +59,7 @@ EXPORT_SYMBOL(ecc_get_curve);
 void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
 			   u64 *out, unsigned int ndigits)
 {
-	int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
+	int diff = ndigits - DIV_ROUND_UP_POW2(nbytes, sizeof(u64));
 	unsigned int o = nbytes & 7;
 	__be64 msd = 0;
 
diff --git a/include/linux/math.h b/include/linux/math.h
index e09ecaeab6..c7198ddb68 100644
--- a/include/linux/math.h
+++ b/include/linux/math.h
@@ -33,6 +33,18 @@
  */
 #define round_down(x, y) ((x) & ~__round_mask(x, y))
 
+/**
+ * DIV_ROUND_UP_POW2 - divide and round up
+ * @n: numerator
+ * @d: denominator (must be a power of 2)
+ *
+ * Divides @n by @d and rounds up to next multiple of @d (which must be a power
+ * of 2). Avoids integer overflows that may occur with __KERNEL_DIV_ROUND_UP().
+ * Performance is roughly equivalent to __KERNEL_DIV_ROUND_UP().
+ */
+#define DIV_ROUND_UP_POW2(n, d) \
+	((n) / (d) + !!((n) & ((d) - 1)))
+
 #define DIV_ROUND_UP __KERNEL_DIV_ROUND_UP
 
 #define DIV_ROUND_DOWN_ULL(ll, d) \

-- 
2.54.0.129.g3edf2eeba9

[PATCH 4/4] crypto: ecc - Streamline alloc_point and remove {alloc,free}_digits_space

[Jonas Rebmann]

From: Thorsten Blum <thorsten.blum@linux.dev>

Check 'ndigits' before allocating 'struct ecc_point' to return early if
needed. Inline the code from and remove ecc_alloc_digits_space() and
ecc_free_digits_space(), respectively.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from linux commit c66e0a273f223fe38b8b72c034857622b0651482)
Reported-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 crypto/ecc.c | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index a228ae1a66..b6abdbee67 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1,4 +1,4 @@
-// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=b16510a530d1e6ab9683f04f8fb34f2e0f538275
+// SPDX-Comment: Origin-URL: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/ecc.c?id=d6ea871d73abbb6a1e00e71ed5762e394d06cb2b
 /*
  * Copyright (c) 2013, 2014 Kenneth MacKay. All rights reserved.
  * Copyright (c) 2019 Vitaly Chikunov <vt@altlinux.org>
@@ -78,33 +78,24 @@ void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
 }
 EXPORT_SYMBOL(ecc_digits_from_bytes);
 
-static u64 *ecc_alloc_digits_space(unsigned int ndigits)
+struct ecc_point *ecc_alloc_point(unsigned int ndigits)
 {
-	size_t len = ndigits * sizeof(u64);
+	struct ecc_point *p;
+	size_t ndigits_sz;
 
-	if (!len)
+	if (!ndigits)
 		return NULL;
 
-	return kmalloc(len, GFP_KERNEL);
-}
-
-static void ecc_free_digits_space(u64 *space)
-{
-	kfree_sensitive(space);
-}
-
-struct ecc_point *ecc_alloc_point(unsigned int ndigits)
-{
-	struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL);
-
+	p = kmalloc(sizeof(*p), GFP_KERNEL);
 	if (!p)
 		return NULL;
 
-	p->x = ecc_alloc_digits_space(ndigits);
+	ndigits_sz = ndigits * sizeof(u64);
+	p->x = kmalloc(ndigits_sz, GFP_KERNEL);
 	if (!p->x)
 		goto err_alloc_x;
 
-	p->y = ecc_alloc_digits_space(ndigits);
+	p->y = kmalloc(ndigits_sz, GFP_KERNEL);
 	if (!p->y)
 		goto err_alloc_y;
 
@@ -113,7 +104,7 @@ struct ecc_point *ecc_alloc_point(unsigned int ndigits)
 	return p;
 
 err_alloc_y:
-	ecc_free_digits_space(p->x);
+	kfree(p->x);
 err_alloc_x:
 	kfree(p);
 	return NULL;

-- 
2.54.0.129.g3edf2eeba9

Re: [PATCH 0/4] crypto: Port ecc.c fixes from kernel

[Sascha Hauer]

On Mon, 18 May 2026 09:56:12 +0200, Jonas Rebmann wrote:
> We've been working on processes for porting fixes from copied code in
> winter and introduced Origin-URL references [1] during those
> discussions.
> 
> Now thanks to Lukas we're reminded to put this to practice.
> 
> This series is a proposal on future standard practice of porting such
> patches: Update the Origin-URL in every ported patch, mention the origin
> project in the "cherry picked from" line. Handle like a backport for all
> other regards.
> 
> [...]

Applied, thanks!

[1/4] crypto: ecc: Add Origin-URL to document kernel revision
      https://git.pengutronix.de/cgit/barebox/commit/?id=cb711fca7828 (link may not be stable)
[2/4] crypto: ecc - Fix off-by-one missing to clear most significant digit
      https://git.pengutronix.de/cgit/barebox/commit/?id=08d9eaa925de (link may not be stable)
[3/4] crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()
      https://git.pengutronix.de/cgit/barebox/commit/?id=c9f258b1e9c7 (link may not be stable)
[4/4] crypto: ecc - Streamline alloc_point and remove {alloc,free}_digits_space
      https://git.pengutronix.de/cgit/barebox/commit/?id=4f64ef254546 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>