• Eric Biggers's avatar
    blk-crypto: make blk_crypto_evict_key() more robust · 5c7cb944
    Eric Biggers authored
    If blk_crypto_evict_key() sees that the key is still in-use (due to a
    bug) or that ->keyslot_evict failed, it currently just returns while
    leaving the key linked into the keyslot management structures.
    
    However, blk_crypto_evict_key() is only called in contexts such as inode
    eviction where failure is not an option.  So actually the caller
    proceeds with freeing the blk_crypto_key regardless of the return value
    of blk_crypto_evict_key().
    
    These two assumptions don't match, and the result is that there can be a
    use-after-free in blk_crypto_reprogram_all_keys() after one of these
    errors occurs.  (Note, these errors *shouldn't* happen; we're just
    talking about what happens if they do anyway.)
    
    Fix this by making blk_crypto_evict_key() unlink the key from the
    keyslot management structures even on failure.
    
    Also improve some comments.
    
    Fixes: 1b262839 ("block: Keyslot Manager for Inline Encryption")
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
    Link: https://lore.kernel.org/r/20230315183907.53675-2-ebiggers@kernel.orgSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
    5c7cb944
blk-crypto.c 12.7 KB