Re: [PATCH] crypto: atmel-ecc - fix potential use-after-free in remove path
From: Herbert Xu
Date: Sun Apr 12 2026 - 04:41:48 EST
On Thu, Apr 02, 2026 at 03:05:38PM +0200, Thorsten Blum wrote:
> Flush the Atmel I2C workqueue before teardown to prevent a potential
> use-after-free if a queued callback runs while the device is being
> removed.
>
> Drop the early return to ensure the driver always unregisters the KPP
> algorithm and removes the client from the global list instead of
> aborting teardown when the device is busy.
>
> Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
> ---
> drivers/crypto/atmel-ecc.c | 15 +--------------
> 1 file changed, 1 insertion(+), 14 deletions(-)
>
> diff --git a/drivers/crypto/atmel-ecc.c b/drivers/crypto/atmel-ecc.c
> index b6a77c8d439c..6dbd0f70dd84 100644
> --- a/drivers/crypto/atmel-ecc.c
> +++ b/drivers/crypto/atmel-ecc.c
> @@ -346,21 +346,8 @@ static void atmel_ecc_remove(struct i2c_client *client)
> {
> struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
>
> - /* Return EBUSY if i2c client already allocated. */
> - if (atomic_read(&i2c_priv->tfm_count)) {
> - /*
> - * After we return here, the memory backing the device is freed.
> - * That happens no matter what the return value of this function
> - * is because in the Linux device model there is no error
> - * handling for unbinding a driver.
> - * If there is still some action pending, it probably involves
> - * accessing the freed memory.
> - */
> - dev_emerg(&client->dev, "Device is busy, expect memory corruption.\n");
> - return;
> - }
> -
> crypto_unregister_kpp(&atmel_ecdh_nist_p256);
> + atmel_i2c_flush_queue();
I don't think this works. Even if you unregister the algorithm,
existing tfm's can still access the driver.
You'll need something a bit fancier than this to deal with it by
failing any calls to existing tfm's gracefully.
Thanks,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt