On Mon, Jul 13, 2020 at 05:48:57PM +0100, Elena Petrova wrote:
> +static int rng_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
> +{
> + int err;
> + struct alg_sock *ask = alg_sk(sock->sk);
> + struct rng_ctx *ctx = ask->private;
> +
> + reset_addtl(ctx);
> + ctx->addtl = kzalloc(len, GFP_KERNEL);
> + if (!ctx->addtl)
> + return -ENOMEM;
> +
> + err = memcpy_from_msg(ctx->addtl, msg, len);
> + if (err) {
> + reset_addtl(ctx);
> + return err;
> + }
> + ctx->addtl_len = len;
> +
> + return 0;
> +}
This is also missing any sort of locking, both between concurrent calls to
rng_sendmsg(), and between rng_sendmsg() and rng_recvmsg().
lock_sock() would solve the former. I'm not sure what should be done about
rng_recvmsg(). It apparently relies on the crypto_rng doing its own locking,
but maybe it should just use lock_sock() too.
- Eric
