[PATCH v3 02/12] crypto: atmel-ecc - fix use after free situation
Krzysztof Kozlowski
krzk at kernel.org
Thu May 21 03:16:37 PDT 2026
On 20/05/2026 17:56, Lothar Rubusch wrote:
> Fixes the very likely race condition, having multiple of such devices
> attached (identified by sashiko feedback).
>
> The Scenario:
> Thread A (Device 1 Probe): Successfully adds i2c_priv to the global
> list (Line 324). The lock is released.
> Thread B (An active crypto request): Concurrently calls
> atmel_ecc_i2c_client_alloc(). It scans the global list, sees
> Device 1, and assigns a crypto job to it.
> Thread A: Moves to line 332. crypto_register_kpp() fails (e.g., out of
> memory or name clash).
> Thread A: Enters the error path. It removes Device 1 from the list and
> frees the i2c_priv memory.
> Thread B: Is still actively trying to talk to the I2C hardware using
> the i2c_priv pointer it grabbed in Step 2. The memory is now
> gone. Result: Kernel crash (Use-After-Free).
>
> Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
Please add Cc-stable
> Signed-off-by: Lothar Rubusch <l.rubusch at gmail.com>
> ---
And fixes must be before any code refactorings, so your rename patch
should be after.
Best regards,
Krzysztof
More information about the linux-arm-kernel
mailing list