crypto: api - Use work queue in crypto_destroy_instance

The function crypto_drop_spawn expects to be called in process
context.  However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.

Fix this by delaying the freeing to a work queue.

Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Reported-by: Florent Revest <revest@chromium.org>
Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com
Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Florent Revest <revest@chromium.org>
Acked-by: Florent Revest <revest@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/algapi.c b/crypto/algapi.c
index 5e7cd603d489c9fc812887447e3bf3fbc8513c7c..4fe95c44804733c5ff41c449dcfa31e87c044c79 100644 (file)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -17,6 +17,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/slab.h>
 #include <linux/string.h>
+#include <linux/workqueue.h>
 
 #include "internal.h"
 
@@ -74,15 +75,26 @@ static void crypto_free_instance(struct crypto_instance *inst)
        inst->alg.cra_type->free(inst);
 }
 
-static void crypto_destroy_instance(struct crypto_alg *alg)
+static void crypto_destroy_instance_workfn(struct work_struct *w)
 {
-       struct crypto_instance *inst = (void *)alg;
+       struct crypto_instance *inst = container_of(w, struct crypto_instance,
+                                                   free_work);
        struct crypto_template *tmpl = inst->tmpl;
 
        crypto_free_instance(inst);
        crypto_tmpl_put(tmpl);
 }
 
+static void crypto_destroy_instance(struct crypto_alg *alg)
+{
+       struct crypto_instance *inst = container_of(alg,
+                                                   struct crypto_instance,
+                                                   alg);
+
+       INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn);
+       schedule_work(&inst->free_work);
+}
+
 /*
  * This function adds a spawn to the list secondary_spawns which
  * will be used at the end of crypto_remove_spawns to unregister

diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
index 6156161b181f1dfa8d3810894352916f9ffb66f2..ca86f4c6ba4394184459d918718814b5cc889154 100644 (file)
--- a/include/crypto/algapi.h
+++ b/include/crypto/algapi.h
@@ -12,6 +12,7 @@
 #include <linux/cache.h>
 #include <linux/crypto.h>
 #include <linux/types.h>
+#include <linux/workqueue.h>
 
 /*
  * Maximum values for blocksize and alignmask, used to allocate
@@ -82,6 +83,8 @@ struct crypto_instance {
                struct crypto_spawn *spawns;
        };
 
+       struct work_struct free_work;
+
        void *__ctx[] CRYPTO_MINALIGN_ATTR;
 };