kernel/1146-crypto-af-alg-fix-null-pointer-dereference-in-scatterwalk.patch

From 288852ae095fabc060f4823784bec8cd5baf2edf Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert.xu@redhat.com>
Date: Thu, 30 Apr 2026 12:54:18 +0800
Subject: [PATCH] crypto: af-alg - fix NULL pointer dereference in scatterwalk

JIRA: https://redhat.atlassian.net/browse/RHEL-172216

Upstream Status: 62397b493e14107ae82d8b80938f293d95425bcb

commit 62397b493e14107ae82d8b80938f293d95425bcb
Author: Norbert Szetei <norbert@doyensec.com>
Date:   Wed Mar 25 18:26:13 2026 +0100

    crypto: af-alg - fix NULL pointer dereference in scatterwalk

    The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
    when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
    exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
    sendmsg() allocates a new SGL and chains it, but fails to clear the end
    marker on the previous SGL's last data entry.

    This causes the crypto scatterwalk to hit a premature end, returning NULL
    on sg_next() and leading to a kernel panic during dereference.

    Fix this by explicitly unmarking the end of the previous SGL when
    performing sg_chain() in af_alg_alloc_tsgl().

    Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations")
    Signed-off-by: Norbert Szetei <norbert@doyensec.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: Herbert Xu <herbert.xu@redhat.com>

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 0da7c1ac778a..1594a2dd9222 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -623,8 +623,10 @@ static int af_alg_alloc_tsgl(struct sock *sk)
 		sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
 		sgl->cur = 0;
 
-		if (sg)
+		if (sg) {
+			sg_unmark_end(sg + MAX_SGL_ENTS - 1);
 			sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+		}
 
 		list_add_tail(&sgl->list, &ctx->tsgl_list);
 	}
-- 
2.50.1 (Apple Git-155)