Re: [PATCH] crypto: rk3288 - Fix use after free in unprepare
From: Andrey Skvortsov
Date: Wed Feb 28 2024 - 08:38:08 EST
On 24-02-28 17:13, Herbert Xu wrote:
> The unprepare call must be carried out before the finalize call
> as the latter can free the request.
>
> Fixes: c66c17a0f69b ("crypto: rk3288 - Remove prepare/unprepare request")
> Reported-by: Andrey Skvortsov <andrej.skvortzov@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>
> diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> index 1b13b4aa16ec..a235e6c300f1 100644
> --- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> +++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> @@ -332,12 +332,12 @@ static int rk_hash_run(struct crypto_engine *engine, void *breq)
> theend:
> pm_runtime_put_autosuspend(rkc->dev);
>
> + rk_hash_unprepare(engine, breq);
> +
> local_bh_disable();
> crypto_finalize_hash_request(engine, breq, err);
> local_bh_enable();
>
> - rk_hash_unprepare(engine, breq);
> -
> return 0;
> }
>
Thanks, that was quick. I had locally the same change.
Reviewed-by: Andrey Skvortsov <andrej.skvortzov@xxxxxxxxx>
--
Best regards,
Andrey Skvortsov