From: Herbert Xu herbert@gondor.apana.org.au
stable inclusion from stable-v5.10.195 commit 625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c category: bugfix bugzilla: 189311
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ]
The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context.
Fix this by delaying the freeing to a work queue.
Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") Reported-by: Florent Revest revest@chromium.org Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Tested-by: Florent Revest revest@chromium.org Acked-by: Florent Revest revest@chromium.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yi Yang yiyang13@huawei.com --- crypto/algapi.c | 16 ++++++++++++++-- include/crypto/algapi.h | 3 +++ 2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c index 42dca17dc2d9..5d422e725b26 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -16,6 +16,7 @@ #include <linux/rtnetlink.h> #include <linux/slab.h> #include <linux/string.h> +#include <linux/workqueue.h>
#include "internal.h"
@@ -68,15 +69,26 @@ static void crypto_free_instance(struct crypto_instance *inst) inst->alg.cra_type->free(inst); }
-static void crypto_destroy_instance(struct crypto_alg *alg) +static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = (void *)alg; + struct crypto_instance *inst = container_of(w, struct crypto_instance, + free_work); struct crypto_template *tmpl = inst->tmpl;
crypto_free_instance(inst); crypto_tmpl_put(tmpl); }
+static void crypto_destroy_instance(struct crypto_alg *alg) +{ + struct crypto_instance *inst = container_of(alg, + struct crypto_instance, + alg); + + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); + schedule_work(&inst->free_work); +} + /* * This function adds a spawn to the list secondary_spawns which * will be used at the end of crypto_remove_spawns to unregister diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 18dd7a4aaf7d..96dbd438cc70 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -10,6 +10,7 @@ #include <linux/crypto.h> #include <linux/list.h> #include <linux/kernel.h> +#include <linux/workqueue.h>
/* * Maximum values for blocksize and alignmask, used to allocate @@ -55,6 +56,8 @@ struct crypto_instance { struct crypto_spawn *spawns; };
+ struct work_struct free_work; + void *__ctx[] CRYPTO_MINALIGN_ATTR; };