From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: Frank.Li@kernel.org, dmaengine@vger.kernel.org, vkoul@kernel.org
Subject: Re: [PATCH v19 07/14] crypto: qce - Cancel work on device detach
Date: Tue, 26 May 2026 15:33:55 +0000 [thread overview]
Message-ID: <20260526153355.63FDF1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260526-qcom-qce-cmd-descr-v19-7-08472fdcbf4a@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The patch introduces a devres action to cancel the workqueue but registers it before DMA request and mutex initialization, causing a teardown order that leads to Use-After-Free and locking of a destroyed mutex.
Pre-existing issues:
- [High] Synchronous freeing of `qce_alg_template` in algorithm unregistration functions can lead to a Use-After-Free if active Transform (tfm) instances are still in use.
--
commit 346a6daf560fef47a46685921528f09b6a107436
Author: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
crypto: qce - Cancel work on device detach
This commit introduces a devres action to cancel the done_work workqueue
during device detach or probe error. It moves the workqueue initialization
earlier in the probe sequence to ensure it is cancelled after outstanding
DMA transfers are terminated. Additionally, it ensures all transfers are
explicitly terminated in the DMA release action.
Closes: https://sashiko.dev/#/patchset/20260427-qcom-qce-cmd-descr-v16-0-945fd1cafbbc%40oss.qualcomm.com?part=7
> diff --git a/drivers/crypto/qce/core.c b/drivers/crypto/qce/core.c
> index b966f3365b7de..f671946cf7351 100644
> --- a/drivers/crypto/qce/core.c
> +++ b/drivers/crypto/qce/core.c
[ ... ]
> @@ -227,6 +234,11 @@ static int qce_crypto_probe(struct platform_device *pdev)
> if (ret)
> return ret;
>
> + INIT_WORK(&qce->done_work, qce_req_done_work);
> + ret = devm_add_action_or_reset(dev, qce_cancel_work, &qce->done_work);
> + if (ret)
> + return ret;
> +
> ret = devm_qce_dma_request(qce->dev, &qce->dma);
> if (ret)
> return ret;
[Severity: High]
Does registering the work cancellation before DMA and mutex initialization
introduce a teardown order issue?
Devres actions execute in reverse order of registration (LIFO). During driver
unbind or probe failure, the cleanup sequence would be:
1. Mutex is destroyed (via devm_mutex_init cleanup)
2. qce_dma_release() executes, releasing DMA channels and freeing
dma->result_buf
3. qce_cancel_work() synchronously cancels the workqueue
If the work item (qce_req_done_work) is scheduled before the workqueue is
cancelled, could it execute concurrently with or after the mutex and DMA
cleanups?
When the work runs, it might attempt to lock the destroyed qce->lock and
dequeue the next crypto request using the freed dma->result_buf, which
could lead to a use-after-free.
> @@ -239,7 +251,6 @@ static int qce_crypto_probe(struct platform_device *pdev)
> if (ret)
> return ret;
>
> - INIT_WORK(&qce->done_work, qce_req_done_work);
> crypto_init_queue(&qce->queue, QCE_QUEUE_LENGTH);
>
> qce->async_req_enqueue = qce_async_request_enqueue;
[ ... ]
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index 68cafd4741ad3..7ec9d72fd690f 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
> @@ -13,6 +13,8 @@ static void qce_dma_release(void *data)
> {
> struct qce_dma_data *dma = data;
>
> + dmaengine_terminate_sync(dma->txchan);
> + dmaengine_terminate_sync(dma->rxchan);
> dma_release_channel(dma->txchan);
> dma_release_channel(dma->rxchan);
> kfree(dma->result_buf);
[Severity: High]
This is a pre-existing issue, but is it safe to synchronously free the
algorithm templates during unregistration?
In unregistration paths like qce_skcipher_unregister(), the driver calls
crypto_unregister_skcipher() and immediately calls kfree(tmpl).
However, crypto_unregister_skcipher() only drops the algorithm registration
reference; it does not block until all active transform (tfm) instances are
destroyed.
If an application holds a reference to the algorithm (e.g. via an AF_ALG
socket) and the device is unbound, the remove function could execute and
synchronously free the memory.
If the application then continues to submit requests, could it access the
synchronously freed tmpl structure, leading to a use-after-free?
Would it be better to use the alg->cra_destroy callback to dynamically free
the template when the final reference is dropped?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260526-qcom-qce-cmd-descr-v19-0-08472fdcbf4a@oss.qualcomm.com?part=7
next prev parent reply other threads:[~2026-05-26 15:33 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 13:10 [PATCH v19 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-05-26 13:45 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-05-26 14:17 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-05-26 15:01 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-05-26 15:33 ` sashiko-bot [this message]
2026-05-26 13:10 ` [PATCH v19 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-05-26 15:57 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-05-26 16:09 ` sashiko-bot
2026-05-26 13:11 ` [PATCH v19 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-05-26 16:30 ` sashiko-bot
2026-05-26 13:11 ` [PATCH v19 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-05-26 17:13 ` sashiko-bot
2026-05-26 13:11 ` [PATCH v19 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-05-26 18:20 ` sashiko-bot
2026-05-29 16:22 ` [PATCH v19 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Eric Biggers
2026-05-31 16:27 ` Bartosz Golaszewski
2026-06-02 16:38 ` Stephan Gerhold
2026-06-04 10:24 ` Vinod Koul
2026-06-04 11:50 ` Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526153355.63FDF1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.