[PATCH] crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path

[Thorsten Blum]

Do not return early from atmel_sha204a_remove() when the device is busy.
Instead, flush the I2C workqueue before teardown to prevent a potential
UAF if a queued callback runs while the device is being removed.

Also ensure sysfs entries are removed and ->hwrng.priv is freed, to
prevent a memory leak during removal. Change the log level from emerg
to warn because the system is still usable.

Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator")
Cc: stable at vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum at linux.dev>
---
Compile-tested only.
---
 drivers/crypto/atmel-sha204a.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/atmel-sha204a.c b/drivers/crypto/atmel-sha204a.c
index 0fcf4a39de27..3afad915aae3 100644
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -190,10 +190,10 @@ static void atmel_sha204a_remove(struct i2c_client *client)
 {
 	struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
 
-	if (atomic_read(&i2c_priv->tfm_count)) {
-		dev_emerg(&client->dev, "Device is busy, will remove it anyhow\n");
-		return;
-	}
+	if (atomic_read(&i2c_priv->tfm_count))
+		dev_warn(&client->dev, "Device is busy, will remove it anyhow\n");
+
+	atmel_i2c_flush_queue();
 
 	sysfs_remove_group(&client->dev.kobj, &atmel_sha204a_groups);
 
-- 
Thorsten Blum <thorsten.blum at linux.dev>
GPG: 1D60 735E 8AEF 3BE4 73B6  9D84 7336 78FD 8DFE EAD4