This is a note to let you know that I've just added the patch titled
crypto: api - Use work queue in crypto_destroy_instance
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
crypto-api-use-work-queue-in-crypto_destroy_instance.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 2c2b06142bf8fe7e1c017ac8bc3f7a6ed2ed285c
Author: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Thu Aug 3 17:59:28 2023 +0800
crypto: api - Use work queue in crypto_destroy_instance
[ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ]
The function crypto_drop_spawn expects to be called in process
context. However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.
Fix this by delaying the freeing to a work queue.
Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Reported-by: Florent Revest <revest@xxxxxxxxxxxx>
Reported-by: syzbot+d769eed29cc42d75e2a3@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+610ec0671f51e838436e@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Tested-by: Florent Revest <revest@xxxxxxxxxxxx>
Acked-by: Florent Revest <revest@xxxxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 3920c4b1e9c13..c390a79c5a669 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -16,6 +16,7 @@
#include <linux/rtnetlink.h>
#include <linux/slab.h>
#include <linux/string.h>
+#include <linux/workqueue.h>
#include "internal.h"
@@ -68,15 +69,26 @@ static void crypto_free_instance(struct crypto_instance *inst)
inst->alg.cra_type->free(inst);
}
-static void crypto_destroy_instance(struct crypto_alg *alg)
+static void crypto_destroy_instance_workfn(struct work_struct *w)
{
- struct crypto_instance *inst = (void *)alg;
+ struct crypto_instance *inst = container_of(w, struct crypto_instance,
+ free_work);
struct crypto_template *tmpl = inst->tmpl;
crypto_free_instance(inst);
crypto_tmpl_put(tmpl);
}
+static void crypto_destroy_instance(struct crypto_alg *alg)
+{
+ struct crypto_instance *inst = container_of(alg,
+ struct crypto_instance,
+ alg);
+
+ INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn);
+ schedule_work(&inst->free_work);
+}
+
/*
* This function adds a spawn to the list secondary_spawns which
* will be used at the end of crypto_remove_spawns to unregister
diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 0ffd61930e180..62fa7e82ff5b9 100644
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -10,6 +10,7 @@
#include <linux/crypto.h>
#include <linux/list.h>
#include <linux/kernel.h>
+#include <linux/workqueue.h>
/*
* Maximum values for blocksize and alignmask, used to allocate
@@ -55,6 +56,8 @@ struct crypto_instance {
struct crypto_spawn *spawns;
};
+ struct work_struct free_work;
+
void *__ctx[] CRYPTO_MINALIGN_ATTR;
};
