From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>,
Bing-Jhong Billy Jheng <billy@starlabs.sg>,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 082/105] crypto: af_alg - Set merge to zero early in af_alg_sendmsg
Date: Mon, 22 Sep 2025 21:30:05 +0200 [thread overview]
Message-ID: <20250922192411.047919676@linuxfoundation.org> (raw)
In-Reply-To: <20250922192408.913556629@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 9574b2330dbd2b5459b74d3b5e9619d39299fc6f ]
If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop. This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.
Fix this by setting ctx->merge to zero near the start of the loop.
Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/af_alg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index f02c5586a8ab3..ca6fdcc6c54ac 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1025,6 +1025,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
continue;
}
+ ctx->merge = 0;
+
if (!af_alg_writable(sk)) {
err = af_alg_wait_for_wmem(sk, msg->msg_flags);
if (err)
@@ -1064,7 +1066,6 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
ctx->used += plen;
copied += plen;
size -= plen;
- ctx->merge = 0;
} else {
do {
struct page *pg;
--
2.51.0
next prev parent reply other threads:[~2025-09-22 19:40 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-22 19:28 [PATCH 6.12 000/105] 6.12.49-rc1 review Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 001/105] wifi: wilc1000: avoid buffer overflow in WID string configuration Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 002/105] nvme: fix PI insert on write Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 003/105] ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 004/105] wifi: mac80211: increase scan_ies_len for S1G Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 005/105] wifi: mac80211: fix incorrect type for ret Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 006/105] pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 007/105] cgroup: split cgroup_destroy_wq into 3 workqueues Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 008/105] btrfs: fix invalid extref key setup when replaying dentry Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 009/105] um: virtio_uml: Fix use-after-free after put_device in probe Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 010/105] um: Fix FD copy size in os_rcv_fd_msg() Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 011/105] dpaa2-switch: fix buffer pool seeding for control traffic Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 012/105] net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 013/105] qed: Dont collect too many protection override GRC elements Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 014/105] bonding: set random address only when slaves already exist Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 015/105] mptcp: set remote_deny_join_id0 on SYN recv Greg Kroah-Hartman
2025-09-22 19:28 ` [PATCH 6.12 016/105] selftests: mptcp: userspace pm: validate deny-join-id0 flag Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 017/105] mptcp: tfo: record deny join id0 info Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 018/105] selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 019/105] net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 020/105] ice: store max_frame and rx_buf_len only in ice_rx_ring Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 021/105] ice: fix Rx page leak on multi-buffer frames Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 022/105] i40e: remove redundant memory barrier when cleaning Tx descs Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 023/105] igc: dont fail igc_probe() on LED setup error Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 024/105] net/mlx5e: Harden uplink netdev access against device unbind Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 025/105] bonding: dont set oif to bond dev when getting NS target destination Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 026/105] octeon_ep: fix VF MAC address lifecycle handling Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 027/105] tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 028/105] tls: make sure to abort the stream if headers are bogus Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 029/105] Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 030/105] net: liquidio: fix overflow in octeon_init_instr_queue() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 031/105] cnic: Fix use-after-free bugs in cnic_delete_task Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 032/105] octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 033/105] perf/x86/intel: Fix crash in icl_update_topdown_event() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 034/105] ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 035/105] ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 036/105] nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 037/105] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 038/105] power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 039/105] power: supply: bq27xxx: restrict no-battery detection to bq27000 Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 040/105] dm-raid: dont set io_min and io_opt for raid1 Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 041/105] dm-stripe: fix a possible integer overflow Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 042/105] gup: optimize longterm pin_user_pages() for large folio Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 043/105] mm: revert "mm: vmscan.c: fix OOM on swap stress test" Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 044/105] LoongArch: Update help info of ARCH_STRICT_ALIGN Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 045/105] objtool/LoongArch: Mark types based on break immediate code Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 046/105] objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 047/105] LoongArch: Fix unreliable stack for live patching Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 048/105] LoongArch: vDSO: Check kcalloc() result in init_vdso() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 049/105] LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 050/105] LoongArch: Check the return value when creating kobj Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 051/105] iommu/vt-d: Fix __domain_mapping()s usage of switch_to_super_page() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 052/105] iommu/amd/pgtbl: Fix possible race while increase page table level Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 053/105] btrfs: tree-checker: fix the incorrect inode ref size check Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 054/105] ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 055/105] ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 056/105] ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 057/105] mmc: mvsdio: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 058/105] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 059/105] drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 060/105] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 061/105] rds: ib: Increment i_fastreg_wrs before bailing out Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 062/105] mptcp: propagate shutdown to subflows when possible Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 063/105] selftests: mptcp: connect: catch IO errors on listen side Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 064/105] selftests: mptcp: avoid spurious errors on TCP disconnect Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 065/105] ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 066/105] io_uring/cmd: let cmds to know about dying task Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 067/105] io_uring: backport io_should_terminate_tw() Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 068/105] io_uring: include dying ring in task_work "should cancel" state Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 069/105] io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 070/105] io_uring/kbuf: drop WARN_ON_ONCE() from incremental length check Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 071/105] ASoC: wm8940: Correct PLL rate rounding Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 072/105] ASoC: wm8940: Correct typo in control name Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 073/105] ASoC: wm8974: Correct PLL rate rounding Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 074/105] ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 075/105] ASoC: Intel: catpt: Expose correct bit depth to userspace Greg Kroah-Hartman
2025-09-22 19:29 ` [PATCH 6.12 076/105] drm/xe/tile: Release kobject for the failure path Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 077/105] drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 078/105] drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 079/105] drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 080/105] smb: client: fix filename matching of deferred files Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 081/105] smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Greg Kroah-Hartman
2025-09-22 19:30 ` Greg Kroah-Hartman [this message]
2025-09-22 19:30 ` [PATCH 6.12 083/105] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 084/105] io_uring: fix incorrect io_kiocb reference in io_link_skb Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 085/105] platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 086/105] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 087/105] x86/bugs: Add SRSO_USER_KERNEL_NO support Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 088/105] x86/bugs: KVM: Add support for SRSO_MSR_FIX Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 089/105] KVM: SVM: Set/clear SRSOs BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 090/105] vmxnet3: unregister xdp rxq info in the reset path Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 091/105] mm: add folio_expected_ref_count() for reference count calculation Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 092/105] mm/gup: check ref_count instead of lru before migration Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 093/105] mptcp: pm: nl: announce deny-join-id0 flag Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 094/105] usb: xhci: introduce macro for ring segment list iteration Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 095/105] usb: xhci: remove option to change a default rings TRB cycle bit Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 096/105] xhci: dbc: decouple endpoint allocation from initialization Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 097/105] xhci: dbc: Fix full DbC transfer ring after several reconnects Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 098/105] rtc: pcf2127: fix SPI command byte for PCF2131 backport Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 099/105] minmax.h: add whitespace around operators and after commas Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 100/105] minmax.h: update some comments Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 101/105] minmax.h: reduce the #define expansion of min(), max() and clamp() Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 102/105] minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 103/105] minmax.h: move all the clamp() definitions after the min/max() ones Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 104/105] minmax.h: simplify the variants of clamp() Greg Kroah-Hartman
2025-09-22 19:30 ` [PATCH 6.12 105/105] minmax.h: remove some #defines that are only expanded once Greg Kroah-Hartman
2025-09-22 23:00 ` [PATCH 6.12 000/105] 6.12.49-rc1 review Florian Fainelli
2025-09-23 5:24 ` Naresh Kamboju
2025-09-23 7:26 ` Brett A C Sheffield
2025-09-23 9:47 ` [PATCH 6.12 000/105] " Harshit Mogalapalli
2025-09-23 13:01 ` Mark Brown
2025-09-23 13:10 ` Jon Hunter
2025-09-23 13:42 ` Brett Mastbergen
2025-09-23 13:47 ` Peter Schneider
2025-09-23 15:04 ` Ron Economos
2025-09-23 20:42 ` Miguel Ojeda
2025-09-24 0:27 ` Shuah Khan
2025-09-24 7:00 ` Hardik Garg
2025-09-26 16:37 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250922192411.047919676@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=billy@starlabs.sg \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=ramdhan@starlabs.sg \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).