Re: [PATCH v3 02/12] crypto: atmel-ecc - fix use after free situation

Next message: Takashi Sakamoto: "Re: [PATCH 0/3] firewire: core: more code refactoring for cdev layer"
Previous message: hlsong: "[PATCH] csky: Fix a4/a5 restoration in syscall trace path"
In reply to: Lothar Rubusch: "[PATCH v3 02/12] crypto: atmel-ecc - fix use after free situation"
Next in thread: Lothar Rubusch: "[PATCH v3 04/12] crypto: atmel - rename atmel_ecc_driver_data to atmel_i2c_client_mgmt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Krzysztof Kozlowski

Date: Thu May 21 2026 - 06:17:31 EST

On 20/05/2026 17:56, Lothar Rubusch wrote:
> Fixes the very likely race condition, having multiple of such devices
> attached (identified by sashiko feedback).
>
> The Scenario:
> Thread A (Device 1 Probe): Successfully adds i2c_priv to the global
> list (Line 324). The lock is released.
> Thread B (An active crypto request): Concurrently calls
> atmel_ecc_i2c_client_alloc(). It scans the global list, sees
> Device 1, and assigns a crypto job to it.
> Thread A: Moves to line 332. crypto_register_kpp() fails (e.g., out of
> memory or name clash).
> Thread A: Enters the error path. It removes Device 1 from the list and
> frees the i2c_priv memory.
> Thread B: Is still actively trying to talk to the I2C hardware using
> the i2c_priv pointer it grabbed in Step 2. The memory is now
> gone. Result: Kernel crash (Use-After-Free).
>
> Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")

Please add Cc-stable

> Signed-off-by: Lothar Rubusch <l.rubusch@xxxxxxxxx>
> ---

And fixes must be before any code refactorings, so your rename patch
should be after.

Best regards,
Krzysztof