This is a note to let you know that I've just added the patch titled crypto: qce - fix uaf on qce_skcipher_register_one to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 7de565b78cd2ab08acef27561bcdbd3714cb5831 Author: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx> Date: Thu Nov 4 06:46:42 2021 -0700 crypto: qce - fix uaf on qce_skcipher_register_one [ Upstream commit e9c195aaeed1b45c9012adbe29dedb6031e85aa8 ] Pointer alg points to sub field of tmpl, it is dereferenced after tmpl is freed. Fix this by accessing alg before free tmpl. Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") Signed-off-by: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx> Acked-by: Thara Gopinath <thara.gopinath@xxxxxxxxxx> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c index d8053789c8828..89c7fc3efbd71 100644 --- a/drivers/crypto/qce/skcipher.c +++ b/drivers/crypto/qce/skcipher.c @@ -433,8 +433,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def, ret = crypto_register_skcipher(alg); if (ret) { - kfree(tmpl); dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name); + kfree(tmpl); return ret; }