From: Herbert Xu herbert@gondor.apana.org.au
mainline inclusion from mainline-v6.6-rc1 commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 category: bugfix bugzilla: 189311 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context.
Fix this by delaying the freeing to a work queue.
Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") Reported-by: Florent Revest revest@chromium.org Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Tested-by: Florent Revest revest@chromium.org Acked-by: Florent Revest revest@chromium.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
conflicts: crypto/algapi.c include/crypto/algapi.h
Signed-off-by: Yi Yang yiyang13@huawei.com --- crypto/algapi.c | 16 ++++++++++++++-- include/crypto/algapi.h | 2 ++ 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/crypto/algapi.c b/crypto/algapi.c index a0f9e807fdb4..1ffd9358f009 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -21,6 +21,7 @@ #include <linux/rtnetlink.h> #include <linux/slab.h> #include <linux/string.h> +#include <linux/workqueue.h>
#include "internal.h"
@@ -87,15 +88,26 @@ static void crypto_free_instance(struct crypto_instance *inst) inst->alg.cra_type->free(inst); }
-static void crypto_destroy_instance(struct crypto_alg *alg) +static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = (void *)alg; + struct crypto_instance *inst = container_of(w, struct crypto_instance, + free_work); struct crypto_template *tmpl = inst->tmpl;
crypto_free_instance(inst); crypto_tmpl_put(tmpl); }
+static void crypto_destroy_instance(struct crypto_alg *alg) +{ + struct crypto_instance *inst = container_of(alg, + struct crypto_instance, + alg); + + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); + schedule_work(&inst->free_work); +} + static struct list_head *crypto_more_spawns(struct crypto_alg *alg, struct list_head *stack, struct list_head *top, diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 6b9cd6597617..432678570ce0 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -52,6 +52,8 @@ struct crypto_instance { struct crypto_template *tmpl; struct hlist_node list;
+ struct work_struct free_work; + void *__ctx[] CRYPTO_MINALIGN_ATTR; };