From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:34472 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751560AbcBNVak (ORCPT ); Sun, 14 Feb 2016 16:30:40 -0500 Subject: Patch "crypto: af_alg - Fix socket double-free when accept fails" has been added to the 4.3-stable tree To: herbert@gondor.apana.org.au, dvyukov@google.com, gregkh@linuxfoundation.org Cc: , From: Date: Sun, 14 Feb 2016 13:30:40 -0800 Message-ID: <14554854400166@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled crypto: af_alg - Fix socket double-free when accept fails to the 4.3-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: crypto-af_alg-fix-socket-double-free-when-accept-fails.patch and it can be found in the queue-4.3 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From a383292c86663bbc31ac62cc0c04fc77504636a6 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 30 Dec 2015 20:24:17 +0800 Subject: crypto: af_alg - Fix socket double-free when accept fails From: Herbert Xu commit a383292c86663bbc31ac62cc0c04fc77504636a6 upstream. When we fail an accept(2) call we will end up freeing the socket twice, once due to the direct sk_free call and once again through newsock. This patch fixes this by removing the sk_free call. Reported-by: Dmitry Vyukov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/af_alg.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -285,10 +285,8 @@ int af_alg_accept(struct sock *sk, struc security_sk_clone(sk, sk2); err = type->accept(ask->private, sk2); - if (err) { - sk_free(sk2); + if (err) goto unlock; - } sk2->sk_family = PF_ALG; Patches currently in stable-queue which might be from herbert@gondor.apana.org.au are queue-4.3/crypto-fix-test-vector-for-rsa.patch queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch queue-4.3/crypto-af_alg-disallow-bind-setkey-...-after-accept-2.patch queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch queue-4.3/crypto-skcipher-add-crypto_skcipher_has_setkey.patch queue-4.3/crypto-algif_skcipher-add-key-check-exception-for-cipher_null.patch queue-4.3/crypto-algif_skcipher-require-setkey-before-accept-2.patch queue-4.3/crypto-algif_skcipher-add-nokey-compatibility-path.patch queue-4.3/crypto-hash-add-crypto_ahash_has_setkey.patch queue-4.3/crypto-af_alg-add-nokey-compatibility-path.patch queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch queue-4.3/crypto-algif_hash-require-setkey-before-accept-2.patch queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch queue-4.3/crypto-af_alg-fix-socket-double-free-when-accept-fails.patch