crypto: api - Use work queue in crypto_destroy_instance

[ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ]

The function crypto_drop_spawn expects to be called in process
context.  However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.

Fix this by delaying the freeing to a work queue.

Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Reported-by: Florent Revest <revest@chromium.org>
Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com
Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Florent Revest <revest@chromium.org>
Acked-by: Florent Revest <revest@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/crypto/algapi.c b/crypto/algapi.c
index 8c3a869cc43a9b14d55db368b46f8e623b375f94..5dc9ccdd5a510a5645398121ab5a475cfb2d0c92 100644 (file)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -17,6 +17,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/workqueue.h>
 
 #include "internal.h"
 
@@ -74,15 +75,26 @@ static void crypto_free_instance(struct crypto_instance *inst)
        inst->alg.cra_type->free(inst);
 }
 
-static void crypto_destroy_instance(struct crypto_alg *alg)
+static void crypto_destroy_instance_workfn(struct work_struct *w)
 {
-       struct crypto_instance *inst = (void *)alg;
+       struct crypto_instance *inst = container_of(w, struct crypto_instance,
+                                                   free_work);
        struct crypto_template *tmpl = inst->tmpl;
 
        crypto_free_instance(inst);
        crypto_tmpl_put(tmpl);
 }
 
+static void crypto_destroy_instance(struct crypto_alg *alg)
+{
+       struct crypto_instance *inst = container_of(alg,
+                                                   struct crypto_instance,
+                                                   alg);
+
+       INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn);
+       schedule_work(&inst->free_work);
+}
+
 /*
  * This function adds a spawn to the list secondary_spawns which
  * will be used at the end of crypto_remove_spawns to unregister

diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 224b8606470835a0180f6a37201998b23779a3b4..939a3196bf002afda5978554e520e6007e7b41ab 100644 (file)
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -12,6 +12,7 @@
 #include <linux/kconfig.h>
 #include <linux/list.h>
 #include <linux/types.h>
+#include <linux/workqueue.h>
 
 #include <asm/unaligned.h>
 
@@ -60,6 +61,8 @@ struct crypto_instance {
                struct crypto_spawn *spawns;
        };
 
+       struct work_struct free_work;
+
        void *__ctx[] CRYPTO_MINALIGN_ATTR;
 };