On Fri, 13 Jan 2023 at 11:24, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
>
> As it is essiv only handles the special return value of EINPROGERSS,
> which means that in all other cases it will free data related to the
> request.
>
> However, as the caller of essiv may specify MAY_BACKLOG, we also need
> to expect EBUSY and treat it in the same way. Otherwise backlogged
> requests will trigger a use-after-free.
>
> Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template...")
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
>
> diff --git a/crypto/essiv.c b/crypto/essiv.c
> index e33369df9034..307eba74b901 100644
> --- a/crypto/essiv.c
> +++ b/crypto/essiv.c
> @@ -171,7 +171,12 @@ static void essiv_aead_done(struct crypto_async_request *areq, int err)
> struct aead_request *req = areq->data;
> struct essiv_aead_request_ctx *rctx = aead_request_ctx(req);
>
> + if (err == -EINPROGRESS)
> + goto out;
> +
> kfree(rctx->assoc);
> +
> +out:
> aead_request_complete(req, err);
> }
>
> @@ -247,7 +252,7 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc)
> err = enc ? crypto_aead_encrypt(subreq) :
> crypto_aead_decrypt(subreq);
>
> - if (rctx->assoc && err != -EINPROGRESS)
> + if (rctx->assoc && err != -EINPROGRESS && err != -EBUSY)
> kfree(rctx->assoc);
> return err;
> }
> --
> Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
