crypto: lrw - Fix use-after-free on EINPROGRESS

When we get an EINPROGRESS completion in lrw, we will end up marking the request as done and freeing it. This then blows up when the request is really completed as we've already freed the memory. Fixes: 700cb3f ("crypto: lrw - Convert to skcipher") Cc: <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
CamonZ · Apr 10, 2017 · 4702bbe · 4702bbe
1 parent aa4a829
commit 4702bbe
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/crypto/lrw.c b/crypto/lrw.c
@@ -345,13 +345,21 @@ static void encrypt_done(struct crypto_async_request *areq, int err)
 	struct rctx *rctx;
 
 	rctx = skcipher_request_ctx(req);
+
+	if (err == -EINPROGRESS) {
+		if (rctx->left != req->cryptlen)
+			return;
+		goto out;
+	}
+
 	subreq = &rctx->subreq;
 	subreq->base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
 
 	err = do_encrypt(req, err ?: post_crypt(req));
 	if (rctx->left)
 		return;
 
+out:
 	skcipher_request_complete(req, err);
 }
 
@@ -389,13 +397,21 @@ static void decrypt_done(struct crypto_async_request *areq, int err)
 	struct rctx *rctx;
 
 	rctx = skcipher_request_ctx(req);
+
+	if (err == -EINPROGRESS) {
+		if (rctx->left != req->cryptlen)
+			return;
+		goto out;
+	}
+
 	subreq = &rctx->subreq;
 	subreq->base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
 
 	err = do_decrypt(req, err ?: post_crypt(req));
 	if (rctx->left)
 		return;
 
+out:
 	skcipher_request_complete(req, err);
 }