Re: [PATCH] crypto: af_alg - fix NULL pointer dereference in scatterwalk

Next message: Krzysztof Kozlowski: "Re: [PATCH v1 1/6] spi: dt-bindings: qcom-qspi: Add QCS615 compatible"
Previous message: Zhang Yi: "Re: [PATCH v2 00/10] ext4: refactor partial block zero-out for iomap conversion"
In reply to: Norbert Szetei: "[PATCH] crypto: af_alg - fix NULL pointer dereference in scatterwalk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Herbert Xu

Date: Thu Mar 26 2026 - 05:22:49 EST

Norbert Szetei <norbert@xxxxxxxxxxxx> wrote:
> From: Norbert Szetei <norbert@xxxxxxxxxxxx>
> Date: Wed, 25 Mar 2026 18:26:13 +0100
> Subject: [PATCH] crypto: af-alg - fix NULL pointer dereference in scatterwalk
>
> The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
> when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
> exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
> sendmsg() allocates a new SGL and chains it, but fails to clear the end
> marker on the previous SGL's last data entry.
>
> This causes the crypto scatterwalk to hit a premature end, returning NULL
> on sg_next() and leading to a kernel panic during dereference.
>
> Fix this by explicitly unmarking the end of the previous SGL when
> performing sg_chain() in af_alg_alloc_tsgl().
>
> Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")

I think this goes back to the very first commit of algif_skcipher so
I've adjusted the Fixes accordingly.

> Signed-off-by: Norbert Szetei <norbert@xxxxxxxxxxxx>

Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt