Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp983902iob;
        Fri, 13 May 2022 18:34:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw5fVtrUClVKEltwmZjqZSpfCCyPGys87xroS9wAxQvq9ONuAOlwgn6Lgn3gj6XM6T+0od5
X-Received: by 2002:a05:600c:4f15:b0:394:8ea0:bb45 with SMTP id l21-20020a05600c4f1500b003948ea0bb45mr6868691wmq.206.1652492049123;
        Fri, 13 May 2022 18:34:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652492049; cv=none;
        d=google.com; s=arc-20160816;
        b=WYnHdLEW1UkrTgk7BcP9z6CrxlDva3k6YNczMbmUjNGH2vLGqhuf/kjEvUH4gD9ZKb
         loMRVU1GYbreCQOrbQCRdxtVAxKoSl/U1pR3hEeGada+8Y5T4PA4eSj7JZ3JnHOyTS0c
         K5tFx2Q2hBIUsMHTysOh38lJaTk+Xw3bA9LrL+lYLr6iPlSGxa6+Zzwe3iHQ6qyNkA3Y
         lmxfnb3u6OLvWjVY58cQOGaTV3U1K7r25vQ2mBlo4/Krdd4gG3WoJrWT845DjBK6FWuZ
         tNo5o3BTOTBvfk+sgFGR8Bp7Zg1IEY0Jh8nyY0P8tXN1JAn0fNONRB85sqF3mZU09foE
         Ya0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date;
        bh=hWYUiYvcUpdl38JJK9505XrOrPcBzG6TPfmSPafN/AI=;
        b=I9JEddVojwSEii1l+TKFFJTkRmfL/pmvXi+oyR64X8W0bGHTQ+3naKyZua3VZnI6TD
         fbw4gyi6B26ZVfBB6mFMO4IE82DQ4fYZId1BHwMUi2chX8AjPY6rFveOU/kd6OASIKYt
         pCTBR/3baw+ATqhadBZi7HJMPVPFQs9iDFhIuokQ3vFZDzQJ3zek77LtdgKr90D3iDt0
         5p6Y092Mr+N4W7L+2EQQerZqhTul3nUerReVgCIAltyGqa96V5qFzWhDMRjK6P8NZxFH
         kGCaS/CkekM8h+N8OqTzb1P5u//UN3X5UBM+fxKjCEVHXAcvCvy3zf6HmcXckIeynldP
         aRyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id u9-20020a5d6da9000000b0020c5da8b93csi4812891wrs.513.2022.05.13.18.34.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 May 2022 18:34:09 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning linux-crypto-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6C4823CD721;
	Fri, 13 May 2022 17:01:35 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231747AbiEMOA0 (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Fri, 13 May 2022 10:00:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48218 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229893AbiEMOA0 (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 13 May 2022 10:00:26 -0400
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C3DC7C17D
        for <linux-crypto@vger.kernel.org>; Fri, 13 May 2022 07:00:25 -0700 (PDT)
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
        by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <ukl@pengutronix.de>)
        id 1npVq3-00017A-H0; Fri, 13 May 2022 16:00:15 +0200
Received: from [2a0a:edc0:0:900:1d::77] (helo=ptz.office.stw.pengutronix.de)
        by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
        (envelope-from <ukl@pengutronix.de>)
        id 1npVq2-0025mX-Sd; Fri, 13 May 2022 16:00:13 +0200
Received: from ukl by ptz.office.stw.pengutronix.de with local (Exim 4.94.2)
        (envelope-from <ukl@pengutronix.de>)
        id 1npVq0-009SxX-Tx; Fri, 13 May 2022 16:00:12 +0200
Date:   Fri, 13 May 2022 15:59:54 +0200
From:   Uwe =?utf-8?Q?Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
To:     Tudor Ambarus <tudor.ambarus@microchip.com>
Cc:     Nicolas Ferre <nicolas.ferre@microchip.com>,
        Alexandre Belloni <alexandre.belloni@bootlin.com>,
        Claudiu Beznea <claudiu.beznea@microchip.com>,
        linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        kernel@pengutronix.de, linux-i2c@vger.kernel.org
Subject: Bug in atmel-ecc driver
Message-ID: <20220513135954.exewihnibnhdckkn@pengutronix.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="lkhd22gveryrhohw"
Content-Disposition: inline
X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2
X-SA-Exim-Mail-From: ukl@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-crypto@vger.kernel.org
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


--lkhd22gveryrhohw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

TL;DR: when a device bound to the drivers/crypto/atmel-ecc.c driver is
unbound while tfm_count isn't zero, this probably results in a
use-after-free.

The .remove function has:

	if (atomic_read(&i2c_priv->tfm_count)) {
                dev_err(&client->dev, "Device is busy\n");
                return -EBUSY;
        }

before actually calling the cleanup stuff. If this branch is hit the
result is likely:

 - "Device is busy" from drivers/crypto/atmel-ecc.c
 - "remove failed (EBUSY), will be ignored" from the i2c core
 - the devm cleanup callbacks are called, including the one kfreeing
   *i2c_priv
 - at a later time atmel_ecc_i2c_client_free() is called which does
   atomic_dec(&i2c_priv->tfm_count);
 - *boom*

I think to fix that you need to call get_device for the i2c device
before increasing tfm_count (and a matching put_device when decreasing
it). Having said that the architecture of this driver looks strange to
me, so there might be nicer fixes (probably with more effort).

I noticed this issue while working on my quest to make i2c-remove
callbacks return void. So if you address this, it would be great if you
did that in a way that makes atmel_ecc_remove always return 0.=20

Best regards
Uwe

--=20
Pengutronix e.K.                           | Uwe Kleine-K=F6nig            |
Industrial Linux Solutions                 | https://www.pengutronix.de/ |

--lkhd22gveryrhohw
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEfnIqFpAYrP8+dKQLwfwUeK3K7AkFAmJ+ZFYACgkQwfwUeK3K
7AntWQf/RJJ7mHYCwhlSsrFT22F4AN8KM1lvIgIhvVCb3PoBhVcbQAK8Ng8XXCeu
hPLAj6XEjynm7K8WaJRLV09y4mqCViXlPtnfkmgKj2gzvscx3P8/dgcsFGxKMbPB
31z3P68+R8S4Y9by5xfq+QiUCR6lGarPdspzYr59hgM/jws+AOhiZFf4Gy/TbFz3
Nk9cJarDaO9m7F773cvkTJzmBc86XfYV000JitR669vwHOr0Lyh7ThAz8/DtO2Rm
JebIaEpM0uzLILoQmc4DRlim3ySc7kFAknbsp4Fu6wdshv12UQzkU8Tl1GMVd/Vc
pW/A+aFRyD1KmYQQ8HyBisnpq4Vh/A==
=KJ7G
-----END PGP SIGNATURE-----

--lkhd22gveryrhohw--