On Wed, Dec 30, 2015 at 11:58:58AM +0100, Dmitry Vyukov wrote: > > I forgot to diff include/crypto/if_alg.h, but the changes are there > (otherwise all references to refcnt would not compile). Also I moved > ask->refcnt checks to alg_setsockopt to fix the deadlock, I believe > that's the missing chunks you refer to. I can retest if you wish, but > I don't think that my changes can affect the reported use-after-free. > Do you? OK I see the problem now. When accept fails we free the socket twice. ---8<--- Subject: crypto: af_alg - Fix socket double-free when accept fails When we fail an accept(2) call we will end up freeing the socket twice, once due to the direct sk_free call and once again through newsock. This patch fixes this by removing the sk_free call. Cc: stable@xxxxxxxxxxxxxxx Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 7b5b592..eaf98e2 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -285,10 +285,8 @@ int af_alg_accept(struct sock *sk, struct socket *newsock) security_sk_clone(sk, sk2); err = type->accept(ask->private, sk2); - if (err) { - sk_free(sk2); + if (err) goto unlock; - } sk2->sk_family = PF_ALG; -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html