crypto: hisilicon/sec2 - prevent req used-after-free for sec

During packet transmission, if the system is under heavy load,
the hardware might complete processing the packet and free the
request memory (req) before the transmission function finishes.
If the software subsequently accesses this req, a use-after-free
error will occur. The qp_ctx memory exists throughout the packet
sending process, so replace the req with the qp_ctx.

Fixes: f0ae287c5045 ("crypto: hisilicon/sec2 - implement full backlog mode for sec")
Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index 15174216d8c413eb4698d5032973eed2d0511837..2471a4dd0b508a46b3fa70b4b81ee451cdef69e5 100644 (file)
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -230,7 +230,7 @@ static int qp_send_message(struct sec_req *req)
 
        spin_unlock_bh(&qp_ctx->req_lock);
 
-       atomic64_inc(&req->ctx->sec->debug.dfx.send_cnt);
+       atomic64_inc(&qp_ctx->ctx->sec->debug.dfx.send_cnt);
        return -EINPROGRESS;
 }