Skip to content

Commit d76c681

Browse files
ebiggersherbertx
authored andcommitted
crypto: pcrypt - fix freeing pcrypt instances
pcrypt is using the old way of freeing instances, where the ->free() method specified in the 'struct crypto_template' is passed a pointer to the 'struct crypto_instance'. But the crypto_instance is being kfree()'d directly, which is incorrect because the memory was actually allocated as an aead_instance, which contains the crypto_instance at a nonzero offset. Thus, the wrong pointer was being kfree()'d. Fix it by switching to the new way to free aead_instance's where the ->free() method is specified in the aead_instance itself. Reported-by: syzbot <syzkaller@googlegroups.com> Fixes: 0496f56 ("crypto: pcrypt - Add support for new AEAD interface") Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 203f450 commit d76c681

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

Diff for: crypto/pcrypt.c

+10-9
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,14 @@ static void pcrypt_aead_exit_tfm(struct crypto_aead *tfm)
254254
crypto_free_aead(ctx->child);
255255
}
256256

257+
static void pcrypt_free(struct aead_instance *inst)
258+
{
259+
struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst);
260+
261+
crypto_drop_aead(&ctx->spawn);
262+
kfree(inst);
263+
}
264+
257265
static int pcrypt_init_instance(struct crypto_instance *inst,
258266
struct crypto_alg *alg)
259267
{
@@ -319,6 +327,8 @@ static int pcrypt_create_aead(struct crypto_template *tmpl, struct rtattr **tb,
319327
inst->alg.encrypt = pcrypt_aead_encrypt;
320328
inst->alg.decrypt = pcrypt_aead_decrypt;
321329

330+
inst->free = pcrypt_free;
331+
322332
err = aead_register_instance(tmpl, inst);
323333
if (err)
324334
goto out_drop_aead;
@@ -349,14 +359,6 @@ static int pcrypt_create(struct crypto_template *tmpl, struct rtattr **tb)
349359
return -EINVAL;
350360
}
351361

352-
static void pcrypt_free(struct crypto_instance *inst)
353-
{
354-
struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst);
355-
356-
crypto_drop_aead(&ctx->spawn);
357-
kfree(inst);
358-
}
359-
360362
static int pcrypt_cpumask_change_notify(struct notifier_block *self,
361363
unsigned long val, void *data)
362364
{
@@ -469,7 +471,6 @@ static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt)
469471
static struct crypto_template pcrypt_tmpl = {
470472
.name = "pcrypt",
471473
.create = pcrypt_create,
472-
.free = pcrypt_free,
473474
.module = THIS_MODULE,
474475
};
475476

0 commit comments

Comments
 (0)