[PATCH] crypto: atmel-ecc - fix potential use-after-free in remove path

[PATCH] crypto: atmel-ecc - fix potential use-after-free in remove path

[Thorsten Blum]

Flush the Atmel I2C workqueue before teardown to prevent a potential
use-after-free if a queued callback runs while the device is being
removed.

Drop the early return to ensure the driver always unregisters the KPP
algorithm and removes the client from the global list instead of
aborting teardown when the device is busy.

Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 drivers/crypto/atmel-ecc.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/drivers/crypto/atmel-ecc.c b/drivers/crypto/atmel-ecc.c
index b6a77c8d439c..6dbd0f70dd84 100644
--- a/drivers/crypto/atmel-ecc.c
+++ b/drivers/crypto/atmel-ecc.c
@@ -346,21 +346,8 @@ static void atmel_ecc_remove(struct i2c_client *client)
 {
 	struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
 
-	/* Return EBUSY if i2c client already allocated. */
-	if (atomic_read(&i2c_priv->tfm_count)) {
-		/*
-		 * After we return here, the memory backing the device is freed.
-		 * That happens no matter what the return value of this function
-		 * is because in the Linux device model there is no error
-		 * handling for unbinding a driver.
-		 * If there is still some action pending, it probably involves
-		 * accessing the freed memory.
-		 */
-		dev_emerg(&client->dev, "Device is busy, expect memory corruption.\n");
-		return;
-	}
-
 	crypto_unregister_kpp(&atmel_ecdh_nist_p256);
+	atmel_i2c_flush_queue();
 
 	spin_lock(&driver_data.i2c_list_lock);
 	list_del(&i2c_priv->i2c_client_list_node);

Re: [PATCH] crypto: atmel-ecc - fix potential use-after-free in remove path

[Herbert Xu]

On Thu, Apr 02, 2026 at 03:05:38PM +0200, Thorsten Blum wrote:
> Flush the Atmel I2C workqueue before teardown to prevent a potential
> use-after-free if a queued callback runs while the device is being
> removed.
> 
> Drop the early return to ensure the driver always unregisters the KPP
> algorithm and removes the client from the global list instead of
> aborting teardown when the device is busy.
> 
> Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
>  drivers/crypto/atmel-ecc.c | 15 +--------------
>  1 file changed, 1 insertion(+), 14 deletions(-)
> 
> diff --git a/drivers/crypto/atmel-ecc.c b/drivers/crypto/atmel-ecc.c
> index b6a77c8d439c..6dbd0f70dd84 100644
> --- a/drivers/crypto/atmel-ecc.c
> +++ b/drivers/crypto/atmel-ecc.c
> @@ -346,21 +346,8 @@ static void atmel_ecc_remove(struct i2c_client *client)
>  {
>  	struct atmel_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
>  
> -	/* Return EBUSY if i2c client already allocated. */
> -	if (atomic_read(&i2c_priv->tfm_count)) {
> -		/*
> -		 * After we return here, the memory backing the device is freed.
> -		 * That happens no matter what the return value of this function
> -		 * is because in the Linux device model there is no error
> -		 * handling for unbinding a driver.
> -		 * If there is still some action pending, it probably involves
> -		 * accessing the freed memory.
> -		 */
> -		dev_emerg(&client->dev, "Device is busy, expect memory corruption.\n");
> -		return;
> -	}
> -
>  	crypto_unregister_kpp(&atmel_ecdh_nist_p256);
> +	atmel_i2c_flush_queue();

I don't think this works.  Even if you unregister the algorithm,
existing tfm's can still access the driver.

You'll need something a bit fancier than this to deal with it by
failing any calls to existing tfm's gracefully.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt