crypto: af_alg - Disallow multiple in-flight AIO requests

[ Upstream commit 67b164a871af1d736f131fd6fe78a610909f06f3 ]

Having multiple in-flight AIO requests results in unpredictable
output because they all share the same IV.  Fix this by only allowing
one request at a time.

Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to algif_aead")
Fixes: a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 8bd288d2b089b0348bd957bd3d3e93462a29a3cd..aa93501e27b95369ac669b449455e2c57aac5bef 100644 (file)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1045,9 +1045,13 @@ EXPORT_SYMBOL_GPL(af_alg_sendpage);
 void af_alg_free_resources(struct af_alg_async_req *areq)
 {
        struct sock *sk = areq->sk;
+       struct af_alg_ctx *ctx;
 
        af_alg_free_areq_sgls(areq);
        sock_kfree_s(sk, areq, areq->areqlen);
+
+       ctx = alg_sk(sk)->private;
+       ctx->inflight = false;
 }
 EXPORT_SYMBOL_GPL(af_alg_free_resources);
 
@@ -1117,11 +1121,19 @@ EXPORT_SYMBOL_GPL(af_alg_poll);
 struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk,
                                           unsigned int areqlen)
 {
-       struct af_alg_async_req *areq = sock_kmalloc(sk, areqlen, GFP_KERNEL);
+       struct af_alg_ctx *ctx = alg_sk(sk)->private;
+       struct af_alg_async_req *areq;
+
+       /* Only one AIO request can be in flight. */
+       if (ctx->inflight)
+               return ERR_PTR(-EBUSY);
 
+       areq = sock_kmalloc(sk, areqlen, GFP_KERNEL);
        if (unlikely(!areq))
                return ERR_PTR(-ENOMEM);
 
+       ctx->inflight = true;
+
        areq->areqlen = areqlen;
        areq->sk = sk;
        areq->last_rsgl = NULL;

diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
index a5db86670bdfa4e7c2dba1feaa0620824ef4942c..a406e281ae571e403d81701011644bef58f259d4 100644 (file)
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -138,6 +138,7 @@ struct af_alg_async_req {
  *                     recvmsg is invoked.
  * @init:              True if metadata has been sent.
  * @len:               Length of memory allocated for this data structure.
+ * @inflight:          Non-zero when AIO requests are in flight.
  */
 struct af_alg_ctx {
        struct list_head tsgl_list;
@@ -156,6 +157,8 @@ struct af_alg_ctx {
        bool init;
 
        unsigned int len;
+
+       unsigned int inflight;
 };
 
 int af_alg_register_type(const struct af_alg_type *type);