From: Harsh Jain <harsh@chelsio.com>
Date: Wed, 1 Feb 2017 15:40:28 +0000 (+0530)
Subject: crypto: algif_aead - Fix kernel panic on list_del
X-Git-Tag: v4.9.10~55
X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=066a7166c5412ea4c04b1946faf2aa7cda48ee60;p=linux

crypto: algif_aead - Fix kernel panic on list_del

commit 0b529f143e8baad441a5aac9ad55ec2434d8fb46 upstream.

Kernel panics when userspace program try to access AEAD interface.
Remove node from Linked List before freeing its memory.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index e9c0993b131d..e8817e2f0597 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -671,9 +671,9 @@ static int aead_recvmsg_sync(struct socket *sock, struct msghdr *msg, int flags)
 unlock:
 	list_for_each_entry_safe(rsgl, tmp, &ctx->list, list) {
 		af_alg_free_sg(&rsgl->sgl);
+		list_del(&rsgl->list);
 		if (rsgl != &ctx->first_rsgl)
 			sock_kfree_s(sk, rsgl, sizeof(*rsgl));
-		list_del(&rsgl->list);
 	}
 	INIT_LIST_HEAD(&ctx->list);
 	aead_wmem_wakeup(sk);