Skip to content

Commit c5a45d1

Browse files
tobluxgregkh
toblux
authored and
gregkh
committed
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
commit bab1adf upstream. Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed. Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak. Fixes: da001fb ("crypto: atmel-i2c - add support for SHA204A random number generator") Cc: stable@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 5281e6e commit c5a45d1

1 file changed

Lines changed: 2 additions & 4 deletions

File tree

drivers/crypto/atmel-sha204a.c

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -125,10 +125,8 @@ static void atmel_sha204a_remove(struct i2c_client *client)
125125
{
126126
struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
127127

128-
if (atomic_read(&i2c_priv->tfm_count)) {
129-
dev_emerg(&client->dev, "Device is busy, will remove it anyhow\n");
130-
return;
131-
}
128+
devm_hwrng_unregister(&client->dev, &i2c_priv->hwrng);
129+
atmel_i2c_flush_queue();
132130

133131
kfree((void *)i2c_priv->hwrng.priv);
134132
}

0 commit comments

Comments
 (0)