Re: [PATCH] Crypto : Fix Null deref in scatterwalk_pagedone

[Eric Biggers]

On Sat, Feb 21, 2026 at 08:40:41PM +0530, Manas wrote:
> `sg_next` can return NULL which causes NULL deref in
> `scatterwalk_start`
> 
> Reported-by: Manas Ghandat <ghandatmanas@xxxxxxxxx>
> Reported-by: Rakshit Awasthi <rakshitawasthi17@xxxxxxxxx>
> Signed-off-by: Manas Ghandat <ghandatmanas@xxxxxxxxx>
> Signed-off-by: Rakshit Awasthi <rakshitawasthi17@xxxxxxxxx>
> ---
>  include/crypto/scatterwalk.h | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h
> index 32fc4473175b..abbb67391710 100644
> --- a/include/crypto/scatterwalk.h
> +++ b/include/crypto/scatterwalk.h
> @@ -78,7 +78,8 @@ static inline void scatterwalk_pagedone(struct scatter_walk *walk, int out,
>  		page = sg_page(walk->sg) + ((walk->offset - 1) >> PAGE_SHIFT);
>  		flush_dcache_page(page);
>  	}
> -
> +	if (sg_next(walk->sg) == NULL)
> +		return;
>  	if (more && walk->offset >= walk->sg->offset + walk->sg->length)
>  		scatterwalk_start(walk, sg_next(walk->sg));

First, this patch doesn't apply to the mainline kernel.  This seems to
be a patch against an older version.

Second, 'sg_next(walk->sg)' returning NULL during the line
'scatterwalk_start(walk, sg_next(walk->sg));' means that the end of the
scatterlist has been reached, despite more data needing to be processed.
For example, this could happen if some in-kernel user asked to encrypt
200 bytes from a scatterlist containing only 100 bytes.  But that would
be a bug in the code that requested the invalid encryption operation in
the first place, not here.  It would need to be fixed there.

What is the full call stack of the crash?  That would point to what
actually needs to be fixed.

- Eric