From: Luo Xinqiang <luoxinqiang2@xxxxxxxxxx> In function scatterwalk_pagedone(), a kernel panic of invalid page will occur if walk->offset equals 0. This patch fixes the problem by setting the page addresswith sg_page(walk->sg) directly if walk->offset equals 0. Panic call stack: [<ffffff9632b4f418>] blkcipher_walk_done+0x430/0x8dc [<ffffff9632b4ed50>] blkcipher_walk_next+0x750/0x9e8 [<ffffff9632b4fe08>] blkcipher_walk_first+0x110/0x2c0 [<ffffff9632b50084>] blkcipher_walk_virt+0xcc/0xe0 [<ffffff96324b3680>] cbc_decrypt+0xdc/0x1a8 [<ffffff9632ba3f90>] ablk_decrypt+0x138/0x224 [<ffffff9632b50a90>] skcipher_decrypt_ablkcipher+0x130/0x150 [<ffffff9632b9d6d4>] skcipher_recvmsg_sync.isra.17+0x270/0x404 [<ffffff9632b9d900>] skcipher_recvmsg+0x98/0xb8 [<ffffff9634044908>] SyS_recvfrom+0x2ac/0x2fc [<ffffff96324839c0>] el0_svc_naked+0x34/0x38 Test: do syskaller fuzz test on 4.9 & 4.4 Signed-off-by: Gao Kui <gaokui1@xxxxxxxxxx> Signed-off-by: Luo Xinqiang <luoxinqiang2@xxxxxxxxxx> --- crypto/scatterwalk.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c index bc769c4..a265907 100644 --- a/crypto/scatterwalk.c +++ b/crypto/scatterwalk.c @@ -53,7 +53,11 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out, if (out) { struct page *page; - page = sg_page(walk->sg) + ((walk->offset - 1) >> PAGE_SHIFT); + if (likely(walk->offset)) + page = sg_page(walk->sg) + + ((walk->offset - 1) >> PAGE_SHIFT); + else + page = sg_page(walk->sg); /* Test ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE first as * PageSlab cannot be optimised away per se due to * use of volatile pointer. -- 2.7.4