Commit 9574b233 authored Sep 16, 2025 by Herbert Xu

crypto: af_alg - Set merge to zero early in af_alg_sendmsg



If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop.  This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.

Fix this by setting ctx->merge to zero near the start of the loop.

Fixes: 8ff59090 ("crypto: algif_skcipher - User-space interface for skcipher operations")
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

parent 46834d90

crypto/af_alg.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1019,6 +1019,8 @@ int af_alg_sendmsg(struct socket sock, struct msghdr msg, size_t size,
		continue;
		}

		ctx->merge = 0;

		if (!af_alg_writable(sk)) {
		err = af_alg_wait_for_wmem(sk, msg->msg_flags);
		if (err)
		@@ -1058,7 +1060,6 @@ int af_alg_sendmsg(struct socket sock, struct msghdr msg, size_t size,
		ctx->used += plen;
		copied += plen;
		size -= plen;
		ctx->merge = 0;
		} else {
		do {
		struct page *pg;