On Thu, Sep 21, 2017 at 10:16:53AM +0200, Stephan Mueller wrote: > The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the > chaining and is properly updated with the sg_chain invocation. During > the filling-in of the initial SG entries, sg_mark_end is called for each > SG entry. This is appropriate as long as no additional SGL is chained > with the current SGL. However, when a new SGL is chained and the last > SG entry is updated with sg_chain, the last but one entry still contains > the end marker from the sg_mark_end. This end marker must be removed as > otherwise a walk of the chained SGLs will cause a NULL pointer > dereference at the last but one SG entry, because sg_next will return > NULL. > > The patch only applies to all kernels up to and including 4.13. The > patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1 > introduced a complete new code base which addresses this bug in > a different way. Yet, that patch is too invasive for stable kernels > and was therefore not marked for stable. > > Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface > for skcipher operations") > CC: <stable@xxxxxxxxxxxxxxx> > CC: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt