Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

This push fixes a NULL pointer dereference in ccp and a couple of 

bugs in the af_alg interface.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEn51F/lCuNhUwmDeSxycdCkmxi6cFAmjL0EIACgkQxycdCkmx
 i6ddxQ/+MaVwfK6Bkr0j4irBbTYXmV7jJCFxB13QaQhqW3QHMU/F670+epT7jI47
 97sz53E967ORuvAK1K6mcHKhuk3cJ+D/8VRKc/S/vwLy51sB+6qWg0QTKdam7aYD
 KrtQKwSM8KHEFmCXl3qdAcbZ80PeqMo1y2vfO4bXr7ng9FETguxQgK2HAdkrnkc+
 ksT4r+r2DTIJK8Yvs9MjklMG+vpkvxCVnYZcRu2Q6+GBqsXiLPb0LH4dlv9EO7iR
 JdwfxBOggauYE4WGv1XC8GYCp75el5w/VogVLl9NaXB5JVS9sOysvaV0CKtrVGW7
 mb0Vb1f8DXXSXIHY0BDC8PImTWX/t87ArsZfCjgUXmPIaWW86nQQSdT7Z4Mabb9E
 DK6X/BVvvEOeJYlPDAx8lUOjKN/4DLHbjkf4NHF9eu7PwvVXWj2N8Rq5j32UVU8g
 rCt0uB2FvSPH3NpvCAwnHEsnQQFzWdixYUpD/VUYl3mHSrHptQ7wgSpX97XG6/r0
 1jzBae7XF0sO9NrIKy9z8ZGyO1qU+WzAZvHHBvSu52S98mHu6K/SkWOxCE77kOqs
 QaoWBobW7Bbk1Fg/e6OZscvCdtS4LuDMdvCV1pqXW041hKb8rmPHI5wxRlT6jr7m
 Vhf9AAnwBtG2D1etwzvZg6Uu/VQBrbgK18J1qM/j+yBetPe3VM4=
 =47U8
 -----END PGP SIGNATURE-----

Merge tag 'v6.17-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:
 "This fixes a NULL pointer dereference in ccp and a couple of bugs in
  the af_alg interface"

* tag 'v6.17-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
  crypto: af_alg - Set merge to zero early in af_alg_sendmsg
  crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked()
This commit is contained in:
Linus Torvalds 2025-09-19 09:58:21 -07:00
parent e8442d5b7b 1b34cbbf4f
commit dcf7d9e0ae
3 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
crypto/af_alg.c
View File

@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
} }
lock_sock(sk); lock_sock(sk);
if (ctx->write) {
release_sock(sk);
return -EBUSY;
}
ctx->write = true;
if (ctx->init && !ctx->more) { if (ctx->init && !ctx->more) {
if (ctx->used) { if (ctx->used) {
err = -EINVAL; err = -EINVAL;
@ -1019,6 +1025,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
continue; continue;
} }
ctx->merge = 0;
if (!af_alg_writable(sk)) { if (!af_alg_writable(sk)) {
err = af_alg_wait_for_wmem(sk, msg->msg_flags); err = af_alg_wait_for_wmem(sk, msg->msg_flags);
if (err) if (err)
@ -1058,7 +1066,6 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
ctx->used += plen; ctx->used += plen;
copied += plen; copied += plen;
size -= plen; size -= plen;
ctx->merge = 0;
} else { } else {
do { do {
struct page *pg; struct page *pg;
@ -1104,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
unlock: unlock:
af_alg_data_wakeup(sk); af_alg_data_wakeup(sk);
ctx->write = false;
release_sock(sk); release_sock(sk);
return copied ?: err; return copied ?: err;

2
drivers/crypto/ccp/sev-dev.c
View File

@ -2430,7 +2430,7 @@ static void __sev_firmware_shutdown(struct sev_device *sev, bool panic)
{ {
int error; int error;
__sev_platform_shutdown_locked(NULL); __sev_platform_shutdown_locked(&error);
if (sev_es_tmr) { if (sev_es_tmr) {
/* /*

10
include/crypto/if_alg.h
View File

@ -135,6 +135,7 @@ struct af_alg_async_req {
* SG? * SG?
* @enc: Cryptographic operation to be performed when * @enc: Cryptographic operation to be performed when
* recvmsg is invoked. * recvmsg is invoked.
* @write: True if we are in the middle of a write.
* @init: True if metadata has been sent. * @init: True if metadata has been sent.
* @len: Length of memory allocated for this data structure. * @len: Length of memory allocated for this data structure.
* @inflight: Non-zero when AIO requests are in flight. * @inflight: Non-zero when AIO requests are in flight.
@ -151,10 +152,11 @@ struct af_alg_ctx {
size_t used; size_t used;
atomic_t rcvused; atomic_t rcvused;
bool more; u32 more:1,
bool merge; merge:1,
bool enc; enc:1,
bool init; write:1,
init:1;
unsigned int len; unsigned int len;