From: Herbert Xu herbert@gondor.apana.org.au
stable inclusion from stable-v4.19.276 commit 1effbddaff60eeef8017c6dea1ee0ed970164d14 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6TIG1 CVE: NA
--------------------------------
[ Upstream commit 32e62025e5e52fbe4812ef044759de7010b15dbc ]
As it is seqiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request.
However, as the caller of seqiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free.
Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- crypto/seqiv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/seqiv.c b/crypto/seqiv.c index 39dbf2f7e5f5..ca68608ab14e 100644 --- a/crypto/seqiv.c +++ b/crypto/seqiv.c @@ -30,7 +30,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err) struct aead_request *subreq = aead_request_ctx(req); struct crypto_aead *geniv;
- if (err == -EINPROGRESS) + if (err == -EINPROGRESS || err == -EBUSY) return;
if (err)