[PATCH v2] crypto: fix refcount leak in crypto_register_alg()

Next message: Robert Garcia: "[PATCH 5.15.y] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path"
Previous message: David Laight: "Re: [PATCH net-next v3 08/14] net: ethernet: oa_tc6: Remove FCS size in RX frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Wed Jun 03 2026 - 04:15:55 EST

When crypto_check_alg() succeeds it sets the algorithm's refcount
to 1. In crypto_register_alg(), if the algorithm type requires
duplication (CRYPTO_ALG_DUP_FIRST), the code attempts a kmemdup of
the algorithm descriptor. If that allocation fails the function
returns -ENOMEM without calling crypto_alg_put() to release the
reference obtained by crypto_check_alg(), resulting in a refcount
leak.

Fix this by adding the missing crypto_alg_put() before the early
return, matching the handling of the other error paths in the
function.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: f1440a90465b ("crypto: api - Add support for duplicating algorithms before registration")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
Changes in v2:
- Clarify the refcount lifecycle.
- Fix code error.
---
crypto/algapi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/algapi.c b/crypto/algapi.c
index b0e4b13131c3..260d03b328ec 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -446,9 +446,10 @@ int crypto_register_alg(struct crypto_alg *alg)
u8 *p = (u8 *)alg - algsize;

p = kmemdup(p, algsize + sizeof(*alg), GFP_KERNEL);
- if (!p)
+ if (!p) {
crypto_alg_put(alg);
return -ENOMEM;
+ }

alg = (void *)(p + algsize);
alg->cra_destroy = crypto_free_alg;
--
2.34.1