On Tue, Jul 12, 2022 at 03:50:31PM +0800, GUO Zihua wrote: > int init(void) > { > struct crypto_shash *tfm = NULL; > struct shash_desc *desc = NULL; > char *data = NULL; > > tfm = crypto_alloc_shash("poly1305", 0, 0); > desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); > desc->tfm = tfm; > > data = kmalloc(POLY1305_KEY_SIZE - 1, GFP_KERNEL); > memcpy(data, test_data, POLY1305_KEY_SIZE - 1); > crypto_shash_update(desc, data, POLY1305_KEY_SIZE - 1); > crypto_shash_final(desc, data); > kfree(data); > return 0; > } This isn't actually a valid test case since it never calls crypto_shash_init(). So the behavior of this test is undefined both before and after this patch. The simplest way to write a correct test would be to use crypto_shash_tfm_digest(). Anyway, the bug is still real and this patch is still the correct fix, so it's good enough to add my reviewed-by: Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> - Eric