From: Eric Biggers <ebiggers@xxxxxxxxxx> Hi, this series fixes various bugs in the VMAC template (crypto/vmac.c). First, the per-request context was being stored in the transform context, which made VMAC not thread-safe, and the kernel could be crashed by using the same VMAC transform in multiple threads using AF_ALG (found by syzkaller). Also the keys were incorrectly being wiped after each message. Patch 2 fixes these bugs, Cc'ed to stable. But there are also bugs that require breaking changes: the nonce is hardcoded to 0, and the endianness of the final digest is wrong. So patch 3 introduces a fixed version of the VMAC template that takes the nonce as the first 16 bytes of data, and fixes the digest endianness. Patch 4 then removes the current version of the VMAC template. I'm not 100% sure whether we can really do that or not as it may have users (there are no explicit users in the kernel, though), but given that the old version was insecure unless a unique key was set for each message, I think we should try and see if anyone complains. Eric Biggers (4): crypto: vmac - require a block cipher with 128-bit block size crypto: vmac - separate tfm and request context crypto: vmac - add nonced version with big endian digest crypto: vmac - remove insecure version with hardcoded nonce crypto/tcrypt.c | 2 +- crypto/testmgr.c | 4 +- crypto/testmgr.h | 217 +++++++++++++-------- crypto/vmac.c | 444 ++++++++++++++++++++---------------------- include/crypto/vmac.h | 63 ------ 5 files changed, 351 insertions(+), 379 deletions(-) delete mode 100644 include/crypto/vmac.h -- 2.18.0.rc1.244.gcf134e6275-goog