988a0f5242
BugLink: https://bugs.launchpad.net/bugs/2071668 commit d3b17c6d9dddc2db3670bc9be628b122416a3d26 upstream. Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. Fixes: 7d42e097607c ("crypto: qat - resolve race condition during AER recovery") Cc: <stable@vger.kernel.org> #6.8+ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Portia Stephens <portia.stephens@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> |
||
|---|---|---|
| .. | ||
| amcc | ||
| axis | ||
| bcm | ||
| caam | ||
| cavium | ||
| ccp | ||
| ccree | ||
| chelsio | ||
| hisilicon | ||
| inside-secure | ||
| marvell | ||
| mediatek | ||
| nx | ||
| qat | ||
| qce | ||
| rockchip | ||
| stm32 | ||
| sunxi-ss | ||
| ux500 | ||
| virtio | ||
| vmx | ||
| Kconfig | ||
| Makefile | ||
| atmel-aes-regs.h | ||
| atmel-aes.c | ||
| atmel-authenc.h | ||
| atmel-ecc.c | ||
| atmel-i2c.c | ||
| atmel-i2c.h | ||
| atmel-sha-regs.h | ||
| atmel-sha.c | ||
| atmel-sha204a.c | ||
| atmel-tdes-regs.h | ||
| atmel-tdes.c | ||
| exynos-rng.c | ||
| geode-aes.c | ||
| geode-aes.h | ||
| hifn_795x.c | ||
| img-hash.c | ||
| ixp4xx_crypto.c | ||
| mxs-dcp.c | ||
| n2_asm.S | ||
| n2_core.c | ||
| n2_core.h | ||
| omap-aes-gcm.c | ||
| omap-aes.c | ||
| omap-aes.h | ||
| omap-crypto.c | ||
| omap-crypto.h | ||
| omap-des.c | ||
| omap-sham.c | ||
| padlock-aes.c | ||
| padlock-sha.c | ||
| picoxcell_crypto.c | ||
| picoxcell_crypto_regs.h | ||
| qcom-rng.c | ||
| s5p-sss.c | ||
| sahara.c | ||
| talitos.c | ||
| talitos.h | ||