[PATCH 3.2 50/67] crypto: algif_skcipher - Do not dereference ctx without socket lock

[Ben Hutchings]

3.2.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

commit 6454c2b83f719057069777132b13949e4c6b6350 upstream.

Any access to non-constant bits of the private context must be
done under the socket lock, in particular, this includes ctx->req.

This patch moves such accesses under the lock, and fetches the
tfm from the parent socket which is guaranteed to be constant,
rather than from ctx->req.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 3.2:
 - Drop changes to skcipher_recvmsg_async
 - s/skcipher/ablkcipher/ in many places
 - s/skc->skcipher/skc->base/]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
 crypto/algif_skcipher.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -249,8 +249,11 @@ static int skcipher_sendmsg(struct kiocb
 {
 	struct sock *sk = sock->sk;
 	struct alg_sock *ask = alg_sk(sk);
+	struct sock *psk = ask->parent;
+	struct alg_sock *pask = alg_sk(psk);
 	struct skcipher_ctx *ctx = ask->private;
-	struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req);
+	struct ablkcipher_tfm *skc = pask->private;
+	struct crypto_ablkcipher *tfm = skc->base;
 	unsigned ivsize = crypto_ablkcipher_ivsize(tfm);
 	struct skcipher_sg_list *sgl;
 	struct af_alg_control con = {};