From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Sep 2025 19:19:38 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.154~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ff73c746825aeb6b597dd892cb5a3b95a550cfe;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	crypto-af_alg-convert-af_alg_sendpage-to-use-msg_splice_pages.patch
	crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch
---

diff --git a/queue-6.1/crypto-af_alg-convert-af_alg_sendpage-to-use-msg_splice_pages.patch b/queue-6.1/crypto-af_alg-convert-af_alg_sendpage-to-use-msg_splice_pages.patch
new file mode 100644
index 0000000000..2d469e9a01
--- /dev/null
+++ b/queue-6.1/crypto-af_alg-convert-af_alg_sendpage-to-use-msg_splice_pages.patch
@@ -0,0 +1,100 @@
+From stable+bounces-181015-greg=kroah.com@vger.kernel.org Mon Sep 22 20:45:39 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 14:44:48 -0400
+Subject: crypto: af_alg: Convert af_alg_sendpage() to use MSG_SPLICE_PAGES
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Herbert Xu <herbert@gondor.apana.org.au>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Jens Axboe <axboe@kernel.dk>, Matthew Wilcox <willy@infradead.org>, linux-crypto@vger.kernel.org, netdev@vger.kernel.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250922184449.3864288-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fb800fa4c1f5aee1238267252e88a7837e645c02 ]
+
+Convert af_alg_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather
+than directly splicing in the pages itself.
+
+This allows ->sendpage() to be replaced by something that can handle
+multiple multipage folios in a single transaction.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: Jens Axboe <axboe@kernel.dk>
+cc: Matthew Wilcox <willy@infradead.org>
+cc: linux-crypto@vger.kernel.org
+cc: netdev@vger.kernel.org
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c |   52 ++++++++--------------------------------------------
+ 1 file changed, 8 insertions(+), 44 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -993,53 +993,17 @@ EXPORT_SYMBOL_GPL(af_alg_sendmsg);
+ ssize_t af_alg_sendpage(struct socket *sock, struct page *page,
+ 			int offset, size_t size, int flags)
+ {
+-	struct sock *sk = sock->sk;
+-	struct alg_sock *ask = alg_sk(sk);
+-	struct af_alg_ctx *ctx = ask->private;
+-	struct af_alg_tsgl *sgl;
+-	int err = -EINVAL;
++	struct bio_vec bvec;
++	struct msghdr msg = {
++		.msg_flags = flags | MSG_SPLICE_PAGES,
++	};
+ 
+ 	if (flags & MSG_SENDPAGE_NOTLAST)
+-		flags |= MSG_MORE;
++		msg.msg_flags |= MSG_MORE;
+ 
+-	lock_sock(sk);
+-	if (!ctx->more && ctx->used)
+-		goto unlock;
+-
+-	if (!size)
+-		goto done;
+-
+-	if (!af_alg_writable(sk)) {
+-		err = af_alg_wait_for_wmem(sk, flags);
+-		if (err)
+-			goto unlock;
+-	}
+-
+-	err = af_alg_alloc_tsgl(sk);
+-	if (err)
+-		goto unlock;
+-
+-	ctx->merge = 0;
+-	sgl = list_entry(ctx->tsgl_list.prev, struct af_alg_tsgl, list);
+-
+-	if (sgl->cur)
+-		sg_unmark_end(sgl->sg + sgl->cur - 1);
+-
+-	sg_mark_end(sgl->sg + sgl->cur);
+-
+-	get_page(page);
+-	sg_set_page(sgl->sg + sgl->cur, page, size, offset);
+-	sgl->cur++;
+-	ctx->used += size;
+-
+-done:
+-	ctx->more = flags & MSG_MORE;
+-
+-unlock:
+-	af_alg_data_wakeup(sk);
+-	release_sock(sk);
+-
+-	return err ?: size;
++	bvec_set_page(&bvec, page, size, offset);
++	iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
++	return sock_sendmsg(sock, &msg);
+ }
+ EXPORT_SYMBOL_GPL(af_alg_sendpage);
+ 
diff --git a/queue-6.1/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch b/queue-6.1/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch
new file mode 100644
index 0000000000..9754b98265
--- /dev/null
+++ b/queue-6.1/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch
@@ -0,0 +1,80 @@
+From stable+bounces-181016-greg=kroah.com@vger.kernel.org Mon Sep 22 20:45:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 14:44:49 -0400
+Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
+To: stable@vger.kernel.org
+Cc: Herbert Xu <herbert@gondor.apana.org.au>, Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>, Bing-Jhong Billy Jheng <billy@starlabs.sg>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250922184449.3864288-2-sashal@kernel.org>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 ]
+
+Issuing two writes to the same af_alg socket is bogus as the
+data will be interleaved in an unpredictable fashion.  Furthermore,
+concurrent writes may create inconsistencies in the internal
+socket state.
+
+Disallow this by adding a new ctx->write field that indiciates
+exclusive ownership for writing.
+
+Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
+Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c         |    7 +++++++
+ include/crypto/if_alg.h |   10 ++++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -859,6 +859,12 @@ int af_alg_sendmsg(struct socket *sock,
+ 	}
+ 
+ 	lock_sock(sk);
++	if (ctx->write) {
++		release_sock(sk);
++		return -EBUSY;
++	}
++	ctx->write = true;
++
+ 	if (ctx->init && !ctx->more) {
+ 		if (ctx->used) {
+ 			err = -EINVAL;
+@@ -974,6 +980,7 @@ int af_alg_sendmsg(struct socket *sock,
+ 
+ unlock:
+ 	af_alg_data_wakeup(sk);
++	ctx->write = false;
+ 	release_sock(sk);
+ 
+ 	return copied ?: err;
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -136,6 +136,7 @@ struct af_alg_async_req {
+  *			SG?
+  * @enc:		Cryptographic operation to be performed when
+  *			recvmsg is invoked.
++ * @write:		True if we are in the middle of a write.
+  * @init:		True if metadata has been sent.
+  * @len:		Length of memory allocated for this data structure.
+  * @inflight:		Non-zero when AIO requests are in flight.
+@@ -151,10 +152,11 @@ struct af_alg_ctx {
+ 	size_t used;
+ 	atomic_t rcvused;
+ 
+-	bool more;
+-	bool merge;
+-	bool enc;
+-	bool init;
++	u32		more:1,
++			merge:1,
++			enc:1,
++			write:1,
++			init:1;
+ 
+ 	unsigned int len;
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index e42a6d30f2..0a9a1f65a5 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -57,3 +57,5 @@ net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch
 asoc-qcom-q6apm-lpass-dai-close-graphs-before-opening-a-new-one.patch
 asoc-q6apm-lpass-dai-close-graph-on-prepare-errors.patch
 asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch
+crypto-af_alg-convert-af_alg_sendpage-to-use-msg_splice_pages.patch
+crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch