On Fri, 13 Jan 2023 at 11:24, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > As it is essiv only handles the special return value of EINPROGERSS, > which means that in all other cases it will free data related to the > request. > > However, as the caller of essiv may specify MAY_BACKLOG, we also need > to expect EBUSY and treat it in the same way. Otherwise backlogged > requests will trigger a use-after-free. > > Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template...") > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > > diff --git a/crypto/essiv.c b/crypto/essiv.c > index e33369df9034..307eba74b901 100644 > --- a/crypto/essiv.c > +++ b/crypto/essiv.c > @@ -171,7 +171,12 @@ static void essiv_aead_done(struct crypto_async_request *areq, int err) > struct aead_request *req = areq->data; > struct essiv_aead_request_ctx *rctx = aead_request_ctx(req); > > + if (err == -EINPROGRESS) > + goto out; > + > kfree(rctx->assoc); > + > +out: > aead_request_complete(req, err); > } > > @@ -247,7 +252,7 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc) > err = enc ? crypto_aead_encrypt(subreq) : > crypto_aead_decrypt(subreq); > > - if (rctx->assoc && err != -EINPROGRESS) > + if (rctx->assoc && err != -EINPROGRESS && err != -EBUSY) > kfree(rctx->assoc); > return err; > } > -- > Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt