This is a note to let you know that I've just added the patch titled crypto: algif_hash - Remove bogus SGL free on zero-length error path to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: crypto-algif_hash-remove-bogus-sgl-free-on-zero-length-error-path.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 24c890dd712f6345e382256cae8c97abb0406b70 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Date: Thu, 1 Feb 2024 13:49:09 +0800 Subject: crypto: algif_hash - Remove bogus SGL free on zero-length error path From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> commit 24c890dd712f6345e382256cae8c97abb0406b70 upstream. When a zero-length message is hashed by algif_hash, and an error is triggered, it tries to free an SG list that was never allocated in the first place. Fix this by not freeing the SG list on the zero-length error path. Reported-by: Shigeru Yoshida <syoshida@xxxxxxxxxx> Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> Fixes: b6d972f68983 ("crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)") Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Reported-by: syzbot+3266db0c26d1fbbe3abb@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- crypto/algif_hash.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 82c44d4899b9..e24c829d7a01 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -91,13 +91,13 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg, if (!(msg->msg_flags & MSG_MORE)) { err = hash_alloc_result(sk, ctx); if (err) - goto unlock_free; + goto unlock_free_result; ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0); err = crypto_wait_req(crypto_ahash_final(&ctx->req), &ctx->wait); if (err) - goto unlock_free; + goto unlock_free_result; } goto done_more; } @@ -170,6 +170,7 @@ static int hash_sendmsg(struct socket *sock, struct msghdr *msg, unlock_free: af_alg_free_sg(&ctx->sgl); +unlock_free_result: hash_free_result(sk, ctx); ctx->more = false; goto unlock; -- 2.43.2 Patches currently in stable-queue which might be from herbert@xxxxxxxxxxxxxxxxxxx are queue-6.6/crypto-algif_hash-remove-bogus-sgl-free-on-zero-length-error-path.patch queue-6.6/crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch