Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ada9e426 authored by Eric Biggers's avatar Eric Biggers Committed by Gerrit - the friendly Code Review server
Browse files

crypto: pcrypt - fix freeing pcrypt instances 



pcrypt is using the old way of freeing instances, where the ->free()
method specified in the 'struct crypto_template' is passed a pointer to
the 'struct crypto_instance'.  But the crypto_instance is being
kfree()'d directly, which is incorrect because the memory was actually
allocated as an aead_instance, which contains the crypto_instance at a
nonzero offset.  Thus, the wrong pointer was being kfree()'d.

Fix it by switching to the new way to free aead_instance's where the
->free() method is specified in the aead_instance itself.

Change-Id: I4e7ca9d5e450708b0b02129d99d7044a534c1144
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface")
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Git-repo: Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: d76c68109f37cb85b243a1cf0f40313afd2bae68
[cravin@codeaurora.org : Resolved minor conflict]
Signed-off-by: default avatarSrinivasa Rao Kuppala <srkupp@codeaurora.org>
parent e9ab48b7

crypto/pcrypt.c

+9 −9
Original line number Diff line number Diff line
@@ -306,6 +306,14 @@ static void pcrypt_aead_exit_tfm(struct crypto_tfm *tfm) 
	crypto_free_aead(ctx->child);

}



static void pcrypt_free(struct crypto_instance *inst)

{

	struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst);



	crypto_drop_spawn(&ctx->spawn);

	kfree(inst);

}



static struct crypto_instance *pcrypt_alloc_instance(struct crypto_alg *alg)

{

	struct crypto_instance *inst;
@@ -375,6 +383,7 @@ static struct crypto_instance *pcrypt_alloc_aead(struct rtattr **tb, 
	inst->alg.cra_aead.encrypt = pcrypt_aead_encrypt;

	inst->alg.cra_aead.decrypt = pcrypt_aead_decrypt;

	inst->alg.cra_aead.givencrypt = pcrypt_aead_givencrypt;

	inst->tmpl->free = pcrypt_free;



out_put_alg:

	crypto_mod_put(alg);
@@ -397,14 +406,6 @@ static struct crypto_instance *pcrypt_alloc(struct rtattr **tb) 
	return ERR_PTR(-EINVAL);

}



static void pcrypt_free(struct crypto_instance *inst)

{

	struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst);



	crypto_drop_spawn(&ctx->spawn);

	kfree(inst);

}



static int pcrypt_cpumask_change_notify(struct notifier_block *self,

					unsigned long val, void *data)

{
@@ -517,7 +518,6 @@ static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt) 
static struct crypto_template pcrypt_tmpl = {

	.name = "pcrypt",

	.alloc = pcrypt_alloc,

	.free = pcrypt_free,

	.module = THIS_MODULE,

};