ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

author Joshua Klinesmith <joshuaklinesmith@gmail.com>

Tue, 7 Apr 2026 02:31:12 +0000 (22:31 -0400)

committer Steve French <stfrench@microsoft.com>

Sun, 12 Apr 2026 23:07:55 +0000 (18:07 -0500)
author Joshua Klinesmith <joshuaklinesmith@gmail.com>
Tue, 7 Apr 2026 02:31:12 +0000 (22:31 -0400)
committer Steve French <stfrench@microsoft.com>
Sun, 12 Apr 2026 23:07:55 +0000 (18:07 -0500)
diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c

index af5f4030433171e2523833259dbead30dc881c42..7d0691f7263fe2d0080563df3c75ccce618e6317 100644 (file)
--- a/fs/smb/server/auth.c
+++ b/fs/smb/server/auth.c
@@ -827,6 +827,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
         struct smb2_transform_hdr *tr_hdr = smb_get_msg(iov[0].iov_base);
         unsigned int assoc_data_len = sizeof(struct smb2_transform_hdr) - 20;
         int rc;
+       DECLARE_CRYPTO_WAIT(wait);
         struct scatterlist *sg;
         u8 sign[SMB2_SIGNATURE_SIZE] = {};
         u8 key[SMB3_ENC_DEC_KEY_SIZE];
@@ -913,12 +914,12 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
  
         aead_request_set_crypt(req, sg, sg, crypt_len, iv);
         aead_request_set_ad(req, assoc_data_len);
-       aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
+       aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+                                 CRYPTO_TFM_REQ_MAY_SLEEP,
+                                 crypto_req_done, &wait);
  
-       if (enc)
-               rc = crypto_aead_encrypt(req);
-       else
-               rc = crypto_aead_decrypt(req);
+       rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) :
+                            crypto_aead_decrypt(req), &wait);
         if (rc)
                 goto free_iv;
author	Joshua Klinesmith <joshuaklinesmith@gmail.com>
	Tue, 7 Apr 2026 02:31:12 +0000 (22:31 -0400)
committer	Steve French <stfrench@microsoft.com>
	Sun, 12 Apr 2026 23:07:55 +0000 (18:07 -0500)