From d7fbcd793051108d8ee0217335ce968c8812d44d Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Fri, 24 Nov 2023 09:09:34 +0000 Subject: [PATCH 1/2] crypto: api - Use work queue in crypto_destroy_instance mainline inclusion from mainline-v6.6-rc1 commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8J49F CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ae4577bc077a7e32c3c7d442c95bc76865c0f17 -------------------------------- The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") Reported-by: Florent Revest Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com Signed-off-by: Herbert Xu Tested-by: Florent Revest Acked-by: Florent Revest Signed-off-by: Herbert Xu conflicts: crypto/algapi.c include/crypto/algapi.h Signed-off-by: Yi Yang --- crypto/algapi.c | 16 ++++++++++++++-- include/crypto/algapi.h | 2 ++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index a0f9e807fdb4..1ffd9358f009 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal.h" @@ -87,15 +88,26 @@ static void crypto_free_instance(struct crypto_instance *inst) inst->alg.cra_type->free(inst); } -static void crypto_destroy_instance(struct crypto_alg *alg) +static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = (void *)alg; + struct crypto_instance *inst = container_of(w, struct crypto_instance, + free_work); struct crypto_template *tmpl = inst->tmpl; crypto_free_instance(inst); crypto_tmpl_put(tmpl); } +static void crypto_destroy_instance(struct crypto_alg *alg) +{ + struct crypto_instance *inst = container_of(alg, + struct crypto_instance, + alg); + + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); + schedule_work(&inst->free_work); +} + static struct list_head *crypto_more_spawns(struct crypto_alg *alg, struct list_head *stack, struct list_head *top, diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 6b9cd6597617..432678570ce0 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -52,6 +52,8 @@ struct crypto_instance { struct crypto_template *tmpl; struct hlist_node list; + struct work_struct free_work; + void *__ctx[] CRYPTO_MINALIGN_ATTR; }; -- Gitee From f71394340d36239f53b1b262e4402b09867d8e82 Mon Sep 17 00:00:00 2001 From: Yi Yang Date: Fri, 24 Nov 2023 09:09:35 +0000 Subject: [PATCH 2/2] crypto: fix kabi broken in struct crypto_instance hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8J49F CVE: N/A -------------------------------- Fix kabi breakage in commit 9ae4577bc077 ("crypto: api - Use work queue in crypto_destroy_instance") Signed-off-by: Yi Yang --- crypto/algapi.c | 21 +++++++++++++++++---- include/crypto/algapi.h | 7 +++++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index 1ffd9358f009..9bf991a4246b 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -90,22 +90,35 @@ static void crypto_free_instance(struct crypto_instance *inst) static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = container_of(w, struct crypto_instance, - free_work); + struct crypto_instance_freework *work = container_of(w, + struct crypto_instance_freework, free_work); + struct crypto_instance *inst = work->instance; struct crypto_template *tmpl = inst->tmpl; crypto_free_instance(inst); crypto_tmpl_put(tmpl); + + kfree(work); } static void crypto_destroy_instance(struct crypto_alg *alg) { + struct crypto_instance_freework *work; struct crypto_instance *inst = container_of(alg, struct crypto_instance, alg); + struct crypto_template *tmpl = inst->tmpl; + + work = kzalloc(sizeof(*work), GFP_ATOMIC); + if (!work) { + crypto_free_instance(inst); + crypto_tmpl_put(tmpl); + return; + } + work->instance = inst; - INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); - schedule_work(&inst->free_work); + INIT_WORK(&work->free_work, crypto_destroy_instance_workfn); + schedule_work(&work->free_work); } static struct list_head *crypto_more_spawns(struct crypto_alg *alg, diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 432678570ce0..474140cd233c 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -46,14 +46,17 @@ struct crypto_type { unsigned int tfmsize; }; +struct crypto_instance_freework { + struct crypto_instance *instance; + struct work_struct free_work; +}; + struct crypto_instance { struct crypto_alg alg; struct crypto_template *tmpl; struct hlist_node list; - struct work_struct free_work; - void *__ctx[] CRYPTO_MINALIGN_ATTR; }; -- Gitee