Am Freitag, 24. November 2017, 08:37:28 CET schrieb Herbert Xu: Hi Herbert, > On Fri, Nov 10, 2017 at 11:04:52AM +0100, Stephan Müller wrote: > > Hi Herbert, > > > > I missed the termination of the outer loop of list_for_each_entry_safe. > > > > The patch was tested on x86 64 and 32 bit environments. > > > > ---8<--- > > > > The TX SGL may contain SGL entries that are assigned a NULL page. This > > may happen if a multi-stage AIO operation is performed where the data > > for each stage is pointed to by one SGL entry. Upon completion of that > > stage, af_alg_pull_tsgl will assign NULL to the SGL entry. > > > > The NULL cipher used to copy the AAD from TX SGL to the destination > > buffer, however, cannot handle the case where the SGL starts with an SGL > > entry having a NULL page. Thus, the code needs to advance the start > > pointer into the SGL to the first non-NULL entry. > > > > This fixes a crash visible on Intel x86 32 bit using the libkcapi test > > suite. > > > > Fixes: 72548b093ee38 ("crypto: algif_aead - copy AAD from src to dst") > > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> > > Patch applied. Thanks. Would it make sense to feed it to stable? Ciao Stephan