crypto: af_alg - Set merge to zero early in af_alg_sendmsg

herbertx · gregkh · commit 6241b9e2809b · 2025-09-25T10:58:54.000+02:00
[ Upstream commit 9574b23 ] If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be done. Fix this by setting ctx->merge to zero near the start of the loop. Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
@@ -908,6 +908,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
 			continue;
 		}
 
+		ctx->merge = 0;
+
 		if (!af_alg_writable(sk)) {
 			err = af_alg_wait_for_wmem(sk, msg->msg_flags);
 			if (err)

Original file line number	Diff line number	Diff line change
`@@ -908,6 +908,8 @@ int af_alg_sendmsg(struct socket sock, struct msghdr msg, size_t size,`
`908`	`908`	`continue;`
`909`	`909`	`}`
`910`	`910`
	`911`	`+ ctx->merge = 0;`
	`912`	`+`
`911`	`913`	`if (!af_alg_writable(sk)) {`
`912`	`914`	`err = af_alg_wait_for_wmem(sk, msg->msg_flags);`
`913`	`915`	`if (err)`