This push contains the following changes:

- Fix use-after-free in ccp. - Fix bug when SEV is disabled in ccp. - Fix tfm_count leak in atmel-sha204a. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEn51F/lCuNhUwmDeSxycdCkmxi6cFAmmqQ0cACgkQxycdCkmx i6eUzg/+PHIyLgwiTcFljyxlJo8g0jDkbaaA+U3E+QImkgCgh+LdhvWp9g1nU2m/ dTcSAue2Vkgvnht7QOm2rQ/CWX+yjs9QOlztpyl7imajFIoTxQ/wRbJ+YO1T07Vr ZQmEO6B/N/GqIlSGvUXVVy9TZN5DhgXol7jWZtmQU+EYjFrLsWUMZd2Q3fDT6eoF 3QdbJBymblv78WxJ0PtMkEpqCF2ikcDCrX4mokrrXZXyakp263pzH7pbWl1xLXR5 fUZoTsGcyh2Me2Fcsanip8SOqj8DK80UguDZZki8tcHjH4tbVPyjJ0TqQwq8cMMb rCkGCfbV1g1+YNRuZb4YbMUeSXDqwf7G2FaI/DaxWKPYPik9yUnRt0WXAUXAX9wK NQ4V+PTlihkT+r4WqjVH1E8EpWSoS0oCWOE+1NwsW1idpo7UHNZPoR5BVrzp5jJ/ iW/hO28djHFebzQ1DZmiDCWvMKAHdUVN9gAFB0uyOoYgdWn1TMbuk83glGhYqHHV mCP62GuFJrZov4MO4EpiwlJi5pN1uRS69ZOFkHrM9db/3xnBO9zE48d9ePPLu+VM ng5N1Nwh1VXeR5mwk/OBSvHHN3vI76NU2fcfgLOQy5Z0YD9kk6jyydcKhmZP+BBN zXiJrsOhxUOpe2/TLgYCL+RNqzGMpuAtftcdi817TwopEXkheE4= =P2SQ -----END PGP SIGNATURE----- Merge tag 'v7.0-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: - Fix use-after-free in ccp - Fix bug when SEV is disabled in ccp - Fix tfm_count leak in atmel-sha204a * tag 'v7.0-p2' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: atmel-sha204a - Fix OOM ->tfm_count leak crypto: ccp - Fix use-after-free on error path crypto: ccp - allow callers to use HV-Fixed page API when SEV is disabled
2026-03-08 01:04:41 +01:00 · 2026-03-06 08:44:20 -08:00 · 2026-03-06 08:44:20 -08:00 · 617f5e9fad
commit 617f5e9fad
parent 723b5c93aa d240b079a3
3 changed files with 8 additions and 9 deletions
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@ -52,9 +52,10 @@ static int atmel_sha204a_rng_read_nonblocking(struct hwrng *rng, void *data,
 		rng->priv = 0;
 	} else {
 		work_data = kmalloc_obj(*work_data, GFP_ATOMIC);
-		if (!work_data)
+		if (!work_data) {
+			atomic_dec(&i2c_priv->tfm_count);
 			return -ENOMEM;
-
+		}
 		work_data->ctx = i2c_priv;
 		work_data->client = i2c_priv->client;

--- a/drivers/crypto/ccp/sev-dev-tsm.c
+++ b/drivers/crypto/ccp/sev-dev-tsm.c
@ -378,9 +378,9 @@ void sev_tsm_init_locked(struct sev_device *sev, void *tio_status_page)
 	return;

 error_exit:
-	kfree(t);
 	pr_err("Failed to enable SEV-TIO: ret=%d en=%d initdone=%d SEV=%d\n",
 	       ret, t->tio_en, t->tio_init_done, boot_cpu_has(X86_FEATURE_SEV));
+	kfree(t);
 }

 void sev_tsm_uninit(struct sev_device *sev)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@ -1105,15 +1105,12 @@ struct page *snp_alloc_hv_fixed_pages(unsigned int num_2mb_pages)
 {
 	struct psp_device *psp_master = psp_get_master_device();
 	struct snp_hv_fixed_pages_entry *entry;
-	struct sev_device *sev;
 	unsigned int order;
 	struct page *page;

-	if (!psp_master || !psp_master->sev_data)
+	if (!psp_master)
 		return NULL;

-	sev = psp_master->sev_data;
-
 	order = get_order(PMD_SIZE * num_2mb_pages);

 	/*
@ -1126,7 +1123,8 @@ struct page *snp_alloc_hv_fixed_pages(unsigned int num_2mb_pages)
 	 * This API uses SNP_INIT_EX to transition allocated pages to HV_Fixed
 	 * page state, fail if SNP is already initialized.
 	 */
-	if (sev->snp_initialized)
+	if (psp_master->sev_data &&
+	    ((struct sev_device *)psp_master->sev_data)->snp_initialized)
 		return NULL;

 	/* Re-use freed pages that match the request */
@ -1162,7 +1160,7 @@ void snp_free_hv_fixed_pages(struct page *page)
 	struct psp_device *psp_master = psp_get_master_device();
 	struct snp_hv_fixed_pages_entry *entry, *nentry;

-	if (!psp_master || !psp_master->sev_data)
+	if (!psp_master)
 		return;

 	/*