crypto: algif_skcipher - Do not dereference ctx without socket lock

commit 6454c2b83f719057069777132b13949e4c6b6350 upstream.

Any access to non-constant bits of the private context must be
done under the socket lock, in particular, this includes ctx->req.

This patch moves such accesses under the lock, and fetches the
tfm from the parent socket which is guaranteed to be constant,
rather than from ctx->req.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2:
 - Drop changes to skcipher_recvmsg_async
 - s/skcipher/ablkcipher/ in many places
 - s/skc->skcipher/skc->base/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 45fa6bd..da5d4ed 100644 (file)
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -249,8 +249,11 @@ static int skcipher_sendmsg(struct kiocb *unused, struct socket *sock,
 {
        struct sock *sk = sock->sk;
        struct alg_sock *ask = alg_sk(sk);
+       struct sock *psk = ask->parent;
+       struct alg_sock *pask = alg_sk(psk);
        struct skcipher_ctx *ctx = ask->private;
-       struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req);
+       struct ablkcipher_tfm *skc = pask->private;
+       struct crypto_ablkcipher *tfm = skc->base;
        unsigned ivsize = crypto_ablkcipher_ivsize(tfm);
        struct skcipher_sg_list *sgl;
        struct af_alg_control con = {};