crypto: algif_skcipher - Fix race condition in skcipher_check_key

We need to lock the child socket in skcipher_check_key as otherwise
two simultaneous calls can cause the parent socket to be freed.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

1 files changed, 6 insertions, 3 deletions

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 1f99d2d47715..dfff8b0b56df 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -755,22 +755,23 @@ static struct proto_ops algif_skcipher_ops = {
 
 static int skcipher_check_key(struct socket *sock)
 {
-        int err;
+        int err = 0;
         struct sock *psk;
         struct alg_sock *pask;
         struct skcipher_tfm *tfm;
         struct sock *sk = sock->sk;
         struct alg_sock *ask = alg_sk(sk);
 
+        lock_sock(sk);
         if (ask->refcnt)
-                return 0;
+                goto unlock_child;
 
         psk = ask->parent;
         pask = alg_sk(ask->parent);
         tfm = pask->private;
 
         err = -ENOKEY;
-        lock_sock(psk);
+        lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
         if (!tfm->has_key)
                 goto unlock;
 
@@ -784,6 +785,8 @@ static int skcipher_check_key(struct socket *sock)
 
 unlock:
         release_sock(psk);
+unlock_child:
+        release_sock(sk);
 
         return err;
 }