summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRabin Vincent <rabin.vincent@axis.com>2014-12-19 13:36:08 +0100
committerJiri Slaby <jslaby@suse.cz>2015-01-07 17:55:16 +0100
commit4f62b27e2776ea102579e9d2fbcc9660b89caa53 (patch)
tree047ebc157a19413ff571ac7ba0d3d0ba8184e9ba
parent5055918c73271c6c52aadeae2adf1920a13e1e36 (diff)
downloadlwn-4f62b27e2776ea102579e9d2fbcc9660b89caa53.tar.gz
lwn-4f62b27e2776ea102579e9d2fbcc9660b89caa53.zip
crypto: af_alg - fix backlog handling
commit 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e upstream. If a request is backlogged, it's complete() handler will get called twice: once with -EINPROGRESS, and once with the final error code. af_alg's complete handler, unlike other users, does not handle the -EINPROGRESS but instead always completes the completion that recvmsg() is waiting on. This can lead to a return to user space while the request is still pending in the driver. If userspace closes the sockets before the requests are handled by the driver, this will lead to use-after-frees (and potential crashes) in the kernel due to the tfm having been freed. The crashes can be easily reproduced (for example) by reducing the max queue length in cryptod.c and running the following (from http://www.chronox.de/libkcapi.html) on AES-NI capable hardware: $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \ -k 00000000000000000000000000000000 \ -p 00000000000000000000000000000000 >/dev/null & done Signed-off-by: Rabin Vincent <rabin.vincent@axis.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-rw-r--r--crypto/af_alg.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index bf948e134981..6ef6e2ad344e 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async_request *req, int err)
{
struct af_alg_completion *completion = req->data;
+ if (err == -EINPROGRESS)
+ return;
+
completion->err = err;
complete(&completion->completion);
}