From 7c1ecabc28d49557653d323fb5e73530e5ba632e Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sat, 25 Nov 2023 02:19:53 +0000 Subject: [PATCH 1/2] crypto: api - Use work queue in crypto_destroy_instance mainline inclusion from mainline-v6.6-rc1 commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8J49F CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ae4577bc077a7e32c3c7d442c95bc76865c0f17 -------------------------------- The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") Reported-by: Florent Revest Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com Signed-off-by: Herbert Xu Tested-by: Florent Revest Acked-by: Florent Revest Signed-off-by: Herbert Xu conflicts: crypto/algapi.c include/crypto/algapi.h Signed-off-by: Yi Yang --- crypto/algapi.c | 16 ++++++++++++++-- include/crypto/algapi.h | 3 +++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index a0f9e807fdb4..1ffd9358f009 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal.h" @@ -87,15 +88,26 @@ static void crypto_free_instance(struct crypto_instance *inst) inst->alg.cra_type->free(inst); } -static void crypto_destroy_instance(struct crypto_alg *alg) +static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = (void *)alg; + struct crypto_instance *inst = container_of(w, struct crypto_instance, + free_work); struct crypto_template *tmpl = inst->tmpl; crypto_free_instance(inst); crypto_tmpl_put(tmpl); } +static void crypto_destroy_instance(struct crypto_alg *alg) +{ + struct crypto_instance *inst = container_of(alg, + struct crypto_instance, + alg); + + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); + schedule_work(&inst->free_work); +} + static struct list_head *crypto_more_spawns(struct crypto_alg *alg, struct list_head *stack, struct list_head *top, diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 6b9cd6597617..0b9ba8fd4533 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -16,6 +16,7 @@ #include #include #include +#include /* * Maximum values for blocksize and alignmask, used to allocate @@ -52,6 +53,8 @@ struct crypto_instance { struct crypto_template *tmpl; struct hlist_node list; + struct work_struct free_work; + void *__ctx[] CRYPTO_MINALIGN_ATTR; }; -- Gitee From 917ed04e044e0f06eea85fc2d606290e0b4f117a Mon Sep 17 00:00:00 2001 From: Yi Yang Date: Sat, 25 Nov 2023 02:19:54 +0000 Subject: [PATCH 2/2] crypto: fix kabi broken in struct crypto_instance hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8J49F CVE: N/A -------------------------------- Fix kabi breakage in commit 9ae4577bc077 ("crypto: api - Use work queue in crypto_destroy_instance") Signed-off-by: Yi Yang --- crypto/algapi.c | 21 +++++++++++++++++---- include/crypto/algapi.h | 7 +++++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index 1ffd9358f009..9bf991a4246b 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -90,22 +90,35 @@ static void crypto_free_instance(struct crypto_instance *inst) static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = container_of(w, struct crypto_instance, - free_work); + struct crypto_instance_freework *work = container_of(w, + struct crypto_instance_freework, free_work); + struct crypto_instance *inst = work->instance; struct crypto_template *tmpl = inst->tmpl; crypto_free_instance(inst); crypto_tmpl_put(tmpl); + + kfree(work); } static void crypto_destroy_instance(struct crypto_alg *alg) { + struct crypto_instance_freework *work; struct crypto_instance *inst = container_of(alg, struct crypto_instance, alg); + struct crypto_template *tmpl = inst->tmpl; + + work = kzalloc(sizeof(*work), GFP_ATOMIC); + if (!work) { + crypto_free_instance(inst); + crypto_tmpl_put(tmpl); + return; + } + work->instance = inst; - INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); - schedule_work(&inst->free_work); + INIT_WORK(&work->free_work, crypto_destroy_instance_workfn); + schedule_work(&work->free_work); } static struct list_head *crypto_more_spawns(struct crypto_alg *alg, diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 0b9ba8fd4533..b9b993b633af 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -47,14 +47,17 @@ struct crypto_type { unsigned int tfmsize; }; +struct crypto_instance_freework { + struct crypto_instance *instance; + struct work_struct free_work; +}; + struct crypto_instance { struct crypto_alg alg; struct crypto_template *tmpl; struct hlist_node list; - struct work_struct free_work; - void *__ctx[] CRYPTO_MINALIGN_ATTR; }; -- Gitee