From: Greg Kroah-Hartman Date: Fri, 1 May 2026 08:55:14 +0000 (+0200) Subject: 6.18-stable patches X-Git-Tag: v6.12.86~80 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de73750aa077c3811e22535b7dd1d66a016d2c6d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch crypto-pcrypt-fix-handling-of-may_backlog-requests.patch --- diff --git a/queue-6.18/crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch b/queue-6.18/crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch new file mode 100644 index 0000000000..872c22f357 --- /dev/null +++ b/queue-6.18/crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch @@ -0,0 +1,74 @@ +From 5aa58c3a572b3e3b6c786953339f7978b845cc52 Mon Sep 17 00:00:00 2001 +From: Douya Le +Date: Sun, 19 Apr 2026 16:52:59 +0800 +Subject: crypto: algif_aead - snapshot IV for async AEAD requests + +From: Douya Le + +commit 5aa58c3a572b3e3b6c786953339f7978b845cc52 upstream. + +AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during +request processing. For async requests, later socket activity can +update that shared state before the original request has fully +completed, which can lead to inconsistent IV handling. + +Snapshot the IV into per-request storage when preparing the AEAD +request, so in-flight operations no longer depend on mutable socket +state. + +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Co-developed-by: Luxing Yin +Signed-off-by: Luxing Yin +Tested-by: Yucheng Lu +Signed-off-by: Douya Le +Signed-off-by: Ren Wei +Signed-off-by: Herbert Xu +Cc: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + crypto/algif_aead.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/crypto/algif_aead.c ++++ b/crypto/algif_aead.c +@@ -72,8 +72,10 @@ static int _aead_recvmsg(struct socket * + struct af_alg_ctx *ctx = ask->private; + struct crypto_aead *tfm = pask->private; + unsigned int as = crypto_aead_authsize(tfm); ++ unsigned int ivsize = crypto_aead_ivsize(tfm); + struct af_alg_async_req *areq; + struct scatterlist *rsgl_src, *tsgl_src = NULL; ++ void *iv; + int err = 0; + size_t used = 0; /* [in] TX bufs to be en/decrypted */ + size_t outlen = 0; /* [out] RX bufs produced by kernel */ +@@ -125,10 +127,14 @@ static int _aead_recvmsg(struct socket * + + /* Allocate cipher request for current operation. */ + areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + +- crypto_aead_reqsize(tfm)); ++ crypto_aead_reqsize(tfm) + ivsize); + if (IS_ERR(areq)) + return PTR_ERR(areq); + ++ iv = (u8 *)aead_request_ctx(&areq->cra_u.aead_req) + ++ crypto_aead_reqsize(tfm); ++ memcpy(iv, ctx->iv, ivsize); ++ + /* convert iovecs of output buffers into RX SGL */ + err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages); + if (err) +@@ -187,7 +193,7 @@ static int _aead_recvmsg(struct socket * + + /* Initialize the crypto operation */ + aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src, +- areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv); ++ areq->first_rsgl.sgl.sgt.sgl, used, iv); + aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); + aead_request_set_tfm(&areq->cra_u.aead_req, tfm); + diff --git a/queue-6.18/crypto-pcrypt-fix-handling-of-may_backlog-requests.patch b/queue-6.18/crypto-pcrypt-fix-handling-of-may_backlog-requests.patch new file mode 100644 index 0000000000..0042a993c8 --- /dev/null +++ b/queue-6.18/crypto-pcrypt-fix-handling-of-may_backlog-requests.patch @@ -0,0 +1,51 @@ +From 915b692e6cb723aac658c25eb82c58fd81235110 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 16 Apr 2026 17:00:50 +0800 +Subject: crypto: pcrypt - Fix handling of MAY_BACKLOG requests + +From: Herbert Xu + +commit 915b692e6cb723aac658c25eb82c58fd81235110 upstream. + +MAY_BACKLOG requests can return EBUSY. Handle them by checking +for that value and filtering out EINPROGRESS notifications. + +Reported-by: Yiming Qian +Fixes: 5a1436beec57 ("crypto: pcrypt - call the complete function on error") +Signed-off-by: Herbert Xu +Cc: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + crypto/pcrypt.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -69,6 +69,9 @@ static void pcrypt_aead_done(void *data, + struct pcrypt_request *preq = aead_request_ctx(req); + struct padata_priv *padata = pcrypt_request_padata(preq); + ++ if (err == -EINPROGRESS) ++ return; ++ + padata->info = err; + + padata_do_serial(padata); +@@ -82,7 +85,7 @@ static void pcrypt_aead_enc(struct padat + + ret = crypto_aead_encrypt(req); + +- if (ret == -EINPROGRESS) ++ if (ret == -EINPROGRESS || ret == -EBUSY) + return; + + padata->info = ret; +@@ -133,7 +136,7 @@ static void pcrypt_aead_dec(struct padat + + ret = crypto_aead_decrypt(req); + +- if (ret == -EINPROGRESS) ++ if (ret == -EINPROGRESS || ret == -EBUSY) + return; + + padata->info = ret; diff --git a/queue-6.18/series b/queue-6.18/series index d8a5c01c15..2758dc241b 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -36,3 +36,5 @@ thermal-core-fix-thermal-zone-governor-cleanup-issues.patch spi-imx-fix-use-after-free-on-unbind.patch spi-ch341-fix-memory-leaks-on-probe-failures.patch mm-call-free_folio-directly-in-folio_unmap_invalidat.patch +crypto-algif_aead-snapshot-iv-for-async-aead-requests.patch +crypto-pcrypt-fix-handling-of-may_backlog-requests.patch