Am Dienstag, 13. September 2016, 18:08:16 CEST schrieb Herbert Xu: Hi Herbert, > This patch appears to be papering over a real bug. > > The async path should be exactly the same as the sync path, except > that we don't wait for completion. So the question is why are we > getting this crash here for async but not sync? At least one reason is found in skcipher_recvmsg_async with the following code path: if (txbufs == tx_nents) { struct scatterlist *tmp; int x; /* Ran out of tx slots in async request * need to expand */ tmp = kcalloc(tx_nents * 2, sizeof(*tmp), GFP_KERNEL); if (!tmp) goto free; sg_init_table(tmp, tx_nents * 2); for (x = 0; x < tx_nents; x++) sg_set_page(&tmp[x], sg_page(&sreq->tsg[x]), sreq->tsg[x].length, sreq->tsg[x].offset); kfree(sreq->tsg); sreq->tsg = tmp; tx_nents *= 2; mark = true; } ==> the code allocates twice the amount of the previously existing memory, copies the existing SGs over, but does not set the remaining SGs to anything. If the caller provides less pages than the number of allocated SGs, some SGs are unset. Hence, the deallocation must not do anything with the yet uninitialized SGs. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html