pstore: Set tfm to NULL on free_buf_for_compression

Set tfm to NULL on free_buf_for_compression() after crypto_free_comp().

This avoid a use-after-free when allocate_buf_for_compression()
and free_buf_for_compression() are called twice. Although
free_buf_for_compression() freed the tfm, allocate_buf_for_compression()
won't reinitialize the tfm since the tfm pointer is not NULL.

Fixes: 95047b0519c1 ("pstore: Refactor compression initialization")
Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
index 75887a269b6420307a42beecf99ed8d8a55b9d34..8355a46638d02909b36998644ae925ccc49a64e3 100644 (file)
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -347,8 +347,10 @@ static void allocate_buf_for_compression(void)
 
 static void free_buf_for_compression(void)
 {
-       if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm)
+       if (IS_ENABLED(CONFIG_PSTORE_COMPRESS) && tfm) {
                crypto_free_comp(tfm);
+               tfm = NULL;
+       }
        kfree(big_oops_buf);
        big_oops_buf = NULL;
        big_oops_buf_sz = 0;