[PATCH] crypto: atmel-ecc - fix potential use-after-free in remove path

[Thorsten Blum]

Flush the Atmel I2C workqueue before teardown to prevent a potential
use-after-free if a queued callback runs while the device is being
removed.

Drop the early return to ensure the driver always unregisters the KPP
algorithm and removes the client from the global list instead of
aborting teardown when the device is busy.

Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
---
 drivers/crypto/atmel-ecc.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/drivers/crypto/atmel-ecc.c b/drivers/crypto/atmel-ecc.c
index b6a77c8d439c..6dbd0f70dd84 100644
--- a/drivers/crypto/atmel-ecc.c
+++ b/drivers/crypto/atmel-ecc.c
@@ -346,21 +346,8 @@ static void atmel_ecc_remove(struct i2c_client *client)
 {
 	struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
 
-	/* Return EBUSY if i2c client already allocated. */
-	if (atomic_read(&i2c_priv->tfm_count)) {
-		/*
-		 * After we return here, the memory backing the device is freed.
-		 * That happens no matter what the return value of this function
-		 * is because in the Linux device model there is no error
-		 * handling for unbinding a driver.
-		 * If there is still some action pending, it probably involves
-		 * accessing the freed memory.
-		 */
-		dev_emerg(&client->dev, "Device is busy, expect memory corruption.\n");
-		return;
-	}
-
 	crypto_unregister_kpp(&atmel_ecdh_nist_p256);
+	atmel_i2c_flush_queue();
 
 	spin_lock(&driver_data.i2c_list_lock);
 	list_del(&i2c_priv->i2c_client_list_node);