crypto: iaa - Fix potential use after free bug

Dan Carpenter · gregkh · commit c66f0be993ba · 2024-10-04T16:37:15.000+02:00
[ Upstream commit e0d3b84 ] The free_device_compression_mode(iaa_device, device_mode) function frees "device_mode" but it iss passed to iaa_compression_modes[i]->free() a few lines later resulting in a use after free. The good news is that, so far as I can tell, nothing implements the ->free() function and the use after free happens in dead code. But, with this fix, when something does implement it, we'll be ready. :) Fixes: b190447 ("crypto: iaa - Add compression mode management along with fixed mode") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c
@@ -495,10 +495,10 @@ static void remove_device_compression_modes(struct iaa_device *iaa_device)
 		if (!device_mode)
 			continue;
 
-		free_device_compression_mode(iaa_device, device_mode);
-		iaa_device->compression_modes[i] = NULL;
 		if (iaa_compression_modes[i]->free)
 			iaa_compression_modes[i]->free(device_mode);
+		free_device_compression_mode(iaa_device, device_mode);
+		iaa_device->compression_modes[i] = NULL;
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -495,10 +495,10 @@ static void remove_device_compression_modes(struct iaa_device *iaa_device)`
`495`	`495`	`if (!device_mode)`
`496`	`496`	`continue;`
`497`	`497`
`498`		`- free_device_compression_mode(iaa_device, device_mode);`
`499`		`- iaa_device->compression_modes[i] = NULL;`
`500`	`498`	`if (iaa_compression_modes[i]->free)`
`501`	`499`	`iaa_compression_modes[i]->free(device_mode);`
	`500`	`+ free_device_compression_mode(iaa_device, device_mode);`
	`501`	`+ iaa_device->compression_modes[i] = NULL;`
`502`	`502`	`}`
`503`	`503`	`}`
`504`	`504`