This is a note to let you know that I've just added the patch titled crypto: af_alg - Forbid bind(2) when nokey child sockets are present to the 4.3-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: crypto-af_alg-forbid-bind-2-when-nokey-child-sockets-are-present.patch and it can be found in the queue-4.3 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From a6a48c565f6f112c6983e2a02b1602189ed6e26e Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Date: Wed, 13 Jan 2016 15:03:32 +0800 Subject: crypto: af_alg - Forbid bind(2) when nokey child sockets are present From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> commit a6a48c565f6f112c6983e2a02b1602189ed6e26e upstream. This patch forbids the calling of bind(2) when there are child sockets created by accept(2) in existence, even if they are created on the nokey path. This is needed as those child sockets have references to the tfm object which bind(2) will destroy. Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- crypto/af_alg.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -130,19 +130,16 @@ EXPORT_SYMBOL_GPL(af_alg_release); void af_alg_release_parent(struct sock *sk) { struct alg_sock *ask = alg_sk(sk); - bool last; + unsigned int nokey = ask->nokey_refcnt; + bool last = nokey && !ask->refcnt; sk = ask->parent; - - if (ask->nokey_refcnt && !ask->refcnt) { - sock_put(sk); - return; - } - ask = alg_sk(sk); lock_sock(sk); - last = !--ask->refcnt; + ask->nokey_refcnt -= nokey; + if (!last) + last = !--ask->refcnt; release_sock(sk); if (last) @@ -188,7 +185,7 @@ static int alg_bind(struct socket *sock, err = -EBUSY; lock_sock(sk); - if (ask->refcnt) + if (ask->refcnt | ask->nokey_refcnt) goto unlock; swap(ask->type, type); @@ -306,6 +303,7 @@ int af_alg_accept(struct sock *sk, struc if (nokey || !ask->refcnt++) sock_hold(sk); + ask->nokey_refcnt += nokey; alg_sk(sk2)->parent = sk; alg_sk(sk2)->type = type; alg_sk(sk2)->nokey_refcnt = nokey; Patches currently in stable-queue which might be from herbert@xxxxxxxxxxxxxxxxxxx are queue-4.3/crypto-fix-test-vector-for-rsa.patch queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch queue-4.3/crypto-af_alg-disallow-bind-setkey-...-after-accept-2.patch queue-4.3/crypto-crc32c-fix-crc32c-soft-dependency.patch queue-4.3/crypto-af_alg-forbid-bind-2-when-nokey-child-sockets-are-present.patch queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch queue-4.3/crypto-algif_hash-fix-race-condition-in-hash_check_key.patch queue-4.3/crypto-skcipher-add-crypto_skcipher_has_setkey.patch queue-4.3/crypto-chacha20-ssse3-align-stack-pointer-to-64-bytes.patch queue-4.3/crypto-algif_skcipher-add-key-check-exception-for-cipher_null.patch queue-4.3/crypto-algif_hash-remove-custom-release-parent-function.patch queue-4.3/crypto-algif_skcipher-load-tx-sg-list-after-waiting.patch queue-4.3/crypto-algif_skcipher-require-setkey-before-accept-2.patch queue-4.3/crypto-algif_skcipher-add-nokey-compatibility-path.patch queue-4.3/crypto-shash-fix-has_key-setting.patch queue-4.3/crypto-algif_skcipher-remove-custom-release-parent-function.patch queue-4.3/crypto-af_alg-allow-af_af_alg_release_parent-to-be-called-on-nokey-path.patch queue-4.3/crypto-hash-add-crypto_ahash_has_setkey.patch queue-4.3/crypto-af_alg-add-nokey-compatibility-path.patch queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch queue-4.3/crypto-algif_hash-require-setkey-before-accept-2.patch queue-4.3/crypto-algif_skcipher-sendmsg-sg-marking-is-off-by-one.patch queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch queue-4.3/crypto-algif_skcipher-fix-race-condition-in-skcipher_check_key.patch queue-4.3/crypto-caam-make-write-transactions-bufferable-on-ppc-platforms.patch queue-4.3/crypto-af_alg-fix-socket-double-free-when-accept-fails.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html