From 1d5e569a69e3887e07560d9e6fc6e26446ccc6ca Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Thu, 15 Sep 2022 14:46:42 -0400 Subject: [PATCH] Fix use-after-free bugs in icp code These were reported by Coverity as "Read from pointer after free" bugs. Presumably, it did not report it as a use-after-free bug because it does not understand the inline assembly that implements the atomic instruction. Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #13881 --- module/icp/core/kcf_mech_tabs.c | 2 +- module/icp/core/kcf_prov_tabs.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/module/icp/core/kcf_mech_tabs.c b/module/icp/core/kcf_mech_tabs.c index 2642b317d..00a76217f 100644 --- a/module/icp/core/kcf_mech_tabs.c +++ b/module/icp/core/kcf_mech_tabs.c @@ -720,8 +720,8 @@ kcf_remove_mech_provider(char *mech_name, kcf_provider_desc_t *prov_desc) } /* free entry */ - KCF_PROV_REFRELE(prov_mech->pm_prov_desc); KCF_PROV_IREFRELE(prov_mech->pm_prov_desc); + KCF_PROV_REFRELE(prov_mech->pm_prov_desc); kmem_free(prov_mech, sizeof (kcf_prov_mech_desc_t)); } diff --git a/module/icp/core/kcf_prov_tabs.c b/module/icp/core/kcf_prov_tabs.c index 9d303d022..3b0bf12e7 100644 --- a/module/icp/core/kcf_prov_tabs.c +++ b/module/icp/core/kcf_prov_tabs.c @@ -171,8 +171,8 @@ kcf_prov_tab_rem_provider(crypto_provider_id_t prov_id) * at that time. */ - KCF_PROV_REFRELE(prov_desc); KCF_PROV_IREFRELE(prov_desc); + KCF_PROV_REFRELE(prov_desc); return (CRYPTO_SUCCESS); }