tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto: api - Use work queue in crypto_destroy_instance

The function crypto_drop_spawn expects to be called in process
context. However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.

Fix this by delaying the freeing to a work queue.

Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Reported-by: Florent Revest <revest@chromium.org>
Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com
Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Florent Revest <revest@chromium.org>
Acked-by: Florent Revest <revest@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Herbert Xu 9ae4577b 7999b615

+17 -2
+14 -2
crypto/algapi.c
··· 17 17 #include <linux/rtnetlink.h> 18 18 #include <linux/slab.h> 19 19 #include <linux/string.h> 20 + #include <linux/workqueue.h> 20 21 21 22 #include "internal.h" 22 23 ··· 75 74 inst->alg.cra_type->free(inst); 76 75 } 77 76 78 - static void crypto_destroy_instance(struct crypto_alg *alg) 77 + static void crypto_destroy_instance_workfn(struct work_struct *w) 79 78 { 80 - struct crypto_instance *inst = (void *)alg; 79 + struct crypto_instance *inst = container_of(w, struct crypto_instance, 80 + free_work); 81 81 struct crypto_template *tmpl = inst->tmpl; 82 82 83 83 crypto_free_instance(inst); 84 84 crypto_tmpl_put(tmpl); 85 + } 86 + 87 + static void crypto_destroy_instance(struct crypto_alg *alg) 88 + { 89 + struct crypto_instance *inst = container_of(alg, 90 + struct crypto_instance, 91 + alg); 92 + 93 + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); 94 + schedule_work(&inst->free_work); 85 95 } 86 96 87 97 /*
+3
include/crypto/algapi.h
··· 12 12 #include <linux/cache.h> 13 13 #include <linux/crypto.h> 14 14 #include <linux/types.h> 15 + #include <linux/workqueue.h> 15 16 16 17 /* 17 18 * Maximum values for blocksize and alignmask, used to allocate ··· 82 81 /* List of attached spawns before registration. */ 83 82 struct crypto_spawn *spawns; 84 83 }; 84 + 85 + struct work_struct free_work; 85 86 86 87 void *__ctx[] CRYPTO_MINALIGN_ATTR; 87 88 };