From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A19FE3E95A4; Wed, 20 May 2026 18:11:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779300665; cv=none; b=PW029qMu9woCmuc0HmUIzRCAgod2G3mWmcPqsNHj8u7MuJWbr9aepKSGNMoCA9+cfbsU7aQNO8QO9tEkMeUg/FnTUqfNYwv3LnP/9a6oGmz++qcbDRCB7k0r1tDFivzVo+UIxYJC0WNBGFlutinPetnihclNfwjXfLAg8qF5Rxg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779300665; c=relaxed/simple; bh=cvhLOhEd23ePWjJAUMkZ9+D7c0mYmn2zuT0Znjejdj0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kMWil82Rr2rRFpmPzoS8ckmlcjg+RLRwqQvVQybo+nI0e3pGF3/irPiVg05RppkMVPPkgLfTeKhW/cHuNmEJCKsEoIpUqIL9FpvDTaoZjKBMtYlX9sVO+grK5VFMrFrUnEtwzxI4mJ3IOYm5V0M2qUHoqFmsrN63bzNC6ggy1Cw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hm7paTfo; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hm7paTfo" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0419C1F00893; Wed, 20 May 2026 18:11:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779300664; bh=DQF8+lBSKt5EgJ3FF7Whk8cAp+UTvleZ15v7xU9Jw3Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=hm7paTfomwjI0yipyLh7/QK7+AsKhpOVaBvrlkVk/t8pZgKFar7uOY+0EDdpY+WTX N1mLA+YRkOJb+RI1jhkrD+WXnLDDhpNx3/m7e3CHUwd25kZ7ZopMzAYe+zwgiZJQ1A 6BcAZ97xXbr1mYySyp+ZSKzY8EuaosW/GBkxgaGE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Joshua Klinesmith , Namjae Jeon , Steve French , Sasha Levin Subject: [PATCH 6.12 262/666] ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine Date: Wed, 20 May 2026 18:17:53 +0200 Message-ID: <20260520162116.896284018@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260520162111.222830634@linuxfoundation.org> References: <20260520162111.222830634@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Joshua Klinesmith [ Upstream commit 3e298897f41c61450c2e7a4f457e8b2485eb35b3 ] ksmbd_crypt_message() sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns -EINPROGRESS, ksmbd treats it as an error and immediately frees the request while the hardware DMA operation is still in flight. The DMA completion callback then dereferences freed memory, causing a NULL pointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd] Use the standard crypto_wait_req() pattern with crypto_req_done() as the completion callback, matching the approach used by the SMB client in fs/smb/client/smb2ops.c. This properly handles both synchronous engines (immediate return) and async engines (-EINPROGRESS followed by callback notification). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Link: https://github.com/openwrt/openwrt/issues/21822 Signed-off-by: Joshua Klinesmith Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin --- fs/smb/server/auth.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c index c12dcb0a47dd5..fea62d1cc4732 100644 --- a/fs/smb/server/auth.c +++ b/fs/smb/server/auth.c @@ -1111,6 +1111,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, struct smb2_transform_hdr *tr_hdr = smb2_get_msg(iov[0].iov_base); unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20; int rc; + DECLARE_CRYPTO_WAIT(wait); struct scatterlist *sg; u8 sign[SMB2_SIGNATURE_SIZE] = {}; u8 key[SMB3_ENC_DEC_KEY_SIZE]; @@ -1197,12 +1198,12 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | + CRYPTO_TFM_REQ_MAY_SLEEP, + crypto_req_done, &wait); - if (enc) - rc = crypto_aead_encrypt(req); - else - rc = crypto_aead_decrypt(req); + rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) : + crypto_aead_decrypt(req), &wait); if (rc) goto free_iv; -- 2.53.0