From e8211373bd8d81c3bcedd8d1037fb8f876071af5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jan 2020 15:44:49 +0100
Subject: [PATCH] 4.9-stable patches

added patches:
	crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
---
 ..._alg-use-bh_lock_sock-in-sk_destruct.patch | 43 +++++++++++++++++++
 queue-4.9/series                              |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 queue-4.9/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch

diff --git a/queue-4.9/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch b/queue-4.9/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
new file mode 100644
index 00000000000..16deba8e01c
--- /dev/null
+++ b/queue-4.9/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
@@ -0,0 +1,43 @@
+From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Dec 2019 13:45:05 +0800
+Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
+
+As af_alg_release_parent may be called from BH context (most notably
+due to an async request that only completes after socket closure,
+or as reported here because of an RCU-delayed sk_destruct call), we
+must use bh_lock_sock instead of lock_sock.
+
+Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -136,11 +136,13 @@ void af_alg_release_parent(struct sock *
+ 	sk = ask->parent;
+ 	ask = alg_sk(sk);
+ 
+-	lock_sock(sk);
++	local_bh_disable();
++	bh_lock_sock(sk);
+ 	ask->nokey_refcnt -= nokey;
+ 	if (!last)
+ 		last = !--ask->refcnt;
+-	release_sock(sk);
++	bh_unlock_sock(sk);
++	local_bh_enable();
+ 
+ 	if (last)
+ 		sock_put(sk);
diff --git a/queue-4.9/series b/queue-4.9/series
index a943cff3289..cb9f6b28fb7 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -22,3 +22,4 @@ gpio-max77620-add-missing-dependency-on-gpiolib_irqc.patch
 atm-eni-fix-uninitialized-variable-warning.patch
 usb-storage-disable-uas-on-jmicron-sata-enclosure.patch
 net_sched-ematch-reject-invalid-tcf_em_simple.patch
+crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
-- 
2.47.3