linux.git/crypto, branch master Linux kernel source tree Merge tag 'v7.0-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2026-04-03T00:29:48+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-03T00:29:48+00:00 5a9617dde77d0777b53f0af7dee58109650bda41 Pull crypto fixes from Herbert Xu: - Add missing async markers to tegra - Fix long hmac key DMA handling in caam - Fix spurious ENOSPC errors in deflate - Fix SG chaining in af_alg - Do not use in-place process in algif_aead - Fix out-of-place destination overflow in authencesn * tag 'v7.0-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption crypto: algif_aead - Revert to operating out-of-place crypto: af-alg - fix NULL pointer dereference in scatterwalk crypto: deflate - fix spurious -ENOSPC crypto: caam - fix overflow on long hmac keys crypto: caam - fix DMA corruption on long hmac keys crypto: tegra - Add missing CRYPTO_ALG_ASYNC 
Pull crypto fixes from Herbert Xu:

 - Add missing async markers to tegra

 - Fix long hmac key DMA handling in caam

 - Fix spurious ENOSPC errors in deflate

 - Fix SG chaining in af_alg

 - Do not use in-place process in algif_aead

 - Fix out-of-place destination overflow in authencesn

* tag 'v7.0-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
  crypto: algif_aead - Revert to operating out-of-place
  crypto: af-alg - fix NULL pointer dereference in scatterwalk
  crypto: deflate - fix spurious -ENOSPC
  crypto: caam - fix overflow on long hmac keys
  crypto: caam - fix DMA corruption on long hmac keys
  crypto: tegra - Add missing CRYPTO_ALG_ASYNC
crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption 2026-03-31T08:11:48+00:00 Herbert Xu herbert@gondor.apana.org.au 2026-03-27T06:04:17+00:00 e02494114ebf7c8b42777c6cd6982f113bfdbec7 When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Reported-by: Taeyang Lee <0wn@theori.io> Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
When decrypting data that is not in-place (src != dst), there is
no need to save the high-order sequence bits in dst as it could
simply be re-copied from the source.

However, the data to be hashed need to be rearranged accordingly.

Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: algif_aead - Revert to operating out-of-place 2026-03-31T08:11:47+00:00 Herbert Xu herbert@gondor.apana.org.au 2026-03-26T06:30:20+00:00 a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst") Reported-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This mostly reverts commit 72548b093ee3 except for the copying of
the associated data.

There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings.  Get rid of
all the complexity added for in-place operation and just copy the
AD directly.

Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst")
Reported-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: af-alg - fix NULL pointer dereference in scatterwalk 2026-03-26T09:10:58+00:00 Norbert Szetei norbert@doyensec.com 2026-03-25T17:26:13+00:00 62397b493e14107ae82d8b80938f293d95425bcb The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent sendmsg() allocates a new SGL and chains it, but fails to clear the end marker on the previous SGL's last data entry. This causes the crypto scatterwalk to hit a premature end, returning NULL on sg_next() and leading to a kernel panic during dereference. Fix this by explicitly unmarking the end of the previous SGL when performing sg_chain() in af_alg_alloc_tsgl(). Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations") Signed-off-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.

This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.

Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().

Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations")
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: deflate - fix spurious -ENOSPC 2026-03-26T09:10:58+00:00 Mikulas Patocka mpatocka@redhat.com 2026-03-25T15:31:38+00:00 6d89f743e57cb34e233a8217b394c7ee09abf225 The code in deflate_decompress_one may erroneously return -ENOSPC even if it didn't run out of output space. The error happens under this condition: - Suppose that there are two input pages, the compressed data fits into the first page and the zlib checksum is placed in the second page. - The code iterates over the first page, decompresses the data and fully fills the destination buffer, zlib_inflate returns Z_OK becuse zlib hasn't seen the checksum yet. - The outer do-while loop is iterated again, acomp_walk_next_src sets the input parameters to the second page containing the checksum. - We go into the inner do-while loop, execute "dcur = acomp_walk_next_dst(&walk);". "dcur" is zero, so we break out of the loop and return -ENOSPC, despite the fact that the decompressed data fit into the destination buffer. In order to fix this bug, this commit changes the logic when to report the -ENOSPC error. We report the error if the destination buffer is empty *and* if zlib_inflate didn't make any progress consuming the input buffer. If zlib_inflate consumes the trailing checksum, we see that it made progress and we will not return -ENOSPC. Fixes: 08cabc7d3c86 ("crypto: deflate - Convert to acomp") Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
The code in deflate_decompress_one may erroneously return -ENOSPC even if
it didn't run out of output space. The error happens under this
condition:

- Suppose that there are two input pages, the compressed data fits into
  the first page and the zlib checksum is placed in the second page.

- The code iterates over the first page, decompresses the data and fully
  fills the destination buffer, zlib_inflate returns Z_OK becuse zlib
  hasn't seen the checksum yet.

- The outer do-while loop is iterated again, acomp_walk_next_src sets the
  input parameters to the second page containing the checksum.

- We go into the inner do-while loop, execute "dcur =
  acomp_walk_next_dst(&walk);". "dcur" is zero, so we break out of the
  loop and return -ENOSPC, despite the fact that the decompressed data
  fit into the destination buffer.

In order to fix this bug, this commit changes the logic when to report
the -ENOSPC error. We report the error if the destination buffer is empty
*and* if zlib_inflate didn't make any progress consuming the input
buffer. If zlib_inflate consumes the trailing checksum, we see that it
made progress and we will not return -ENOSPC.

Fixes: 08cabc7d3c86 ("crypto: deflate - Convert to acomp")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: testmgr - Fix stale references to aes-generic 2026-03-03T19:57:15+00:00 Eric Biggers ebiggers@kernel.org 2026-03-02T23:48:56+00:00 3875ceb592d3cb23dc932165cc1eeb74cf4dc319 Due to commit a2484474272e ("crypto: aes - Replace aes-generic with wrapper around lib"), the "aes-generic" driver name has been replaced with "aes-lib". Update a couple testmgr entries that were added concurrently with this change. Fixes: a22d48cbe558 ("crypto: testmgr - Add test vectors for authenc(hmac(sha224),cbc(aes))") Fixes: 030218dedee2 ("crypto: testmgr - Add test vectors for authenc(hmac(sha384),cbc(aes))") Acked-by: Aleksander Jan Bajkowski <olek2@wp.pl> Link: https://lore.kernel.org/r/20260302234856.30569-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 
Due to commit a2484474272e ("crypto: aes - Replace aes-generic with
wrapper around lib"), the "aes-generic" driver name has been replaced
with "aes-lib".  Update a couple testmgr entries that were added
concurrently with this change.

Fixes: a22d48cbe558 ("crypto: testmgr - Add test vectors for authenc(hmac(sha224),cbc(aes))")
Fixes: 030218dedee2 ("crypto: testmgr - Add test vectors for authenc(hmac(sha384),cbc(aes))")
Acked-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Link: https://lore.kernel.org/r/20260302234856.30569-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto: Clean up help text for CRYPTO_CRC32 2026-03-02T23:35:26+00:00 Geert Uytterhoeven geert+renesas@glider.be 2026-02-26T14:46:09+00:00 f33ac74f9cc1cdadd3921246832b2084a5dec53a F2fs and RoCEv2 stopped using this CRC32 implementation in commits 3ca4bec40ee211cd ("f2fs: switch to using the crc32 library") and ccca5e8aa1457231 ("RDMA/rxe: switch to using the crc32 library"). Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://lore.kernel.org/r/0f76ebf05bb1b6ca50db97988f9ac20944534b4c.1772116160.git.geert+renesas@glider.be Signed-off-by: Eric Biggers <ebiggers@kernel.org> 
F2fs and RoCEv2 stopped using this CRC32 implementation in commits
3ca4bec40ee211cd ("f2fs: switch to using the crc32 library") and
ccca5e8aa1457231 ("RDMA/rxe: switch to using the crc32 library").

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/0f76ebf05bb1b6ca50db97988f9ac20944534b4c.1772116160.git.geert+renesas@glider.be
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto: Clean up help text for CRYPTO_CRC32C 2026-03-02T23:35:26+00:00 Geert Uytterhoeven geert+renesas@glider.be 2026-02-26T14:46:08+00:00 0ef6eb10f2e0fe38bb795b2ecdb01b8c9b536ea8 Ext4, jbd2, iSCSI, NVMeoF/TCP, and Btrfs stopped using this CRC32c implementation in commits f2b4fa19647e18a2 ("ext4: switch to using the crc32c library"), dd348f054b24a3f5 ("jbd2: switch to using the crc32c library"), 92186c1455a2d356 ("scsi: iscsi_tcp: Switch to using the crc32c library"), 427fff9aff295e2c ("nvme-tcp: use crc32c() and skb_copy_and_crc32c_datagram_iter()"), and fe11ac191ce0ad91 ("btrfs: switch to library APIs for checksums"). Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://lore.kernel.org/r/f567add7840bc612382237b3e76f3a8bdbd671e6.1772116160.git.geert+renesas@glider.be Signed-off-by: Eric Biggers <ebiggers@kernel.org> 
Ext4, jbd2, iSCSI, NVMeoF/TCP, and Btrfs stopped using this CRC32c
implementation in commits f2b4fa19647e18a2 ("ext4: switch to using the
crc32c library"), dd348f054b24a3f5 ("jbd2: switch to using the crc32c
library"), 92186c1455a2d356 ("scsi: iscsi_tcp: Switch to using the
crc32c library"), 427fff9aff295e2c ("nvme-tcp: use crc32c() and
skb_copy_and_crc32c_datagram_iter()"), and fe11ac191ce0ad91 ("btrfs:
switch to library APIs for checksums").

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/f567add7840bc612382237b3e76f3a8bdbd671e6.1772116160.git.geert+renesas@glider.be
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto: Clean up help text for CRYPTO_XXHASH 2026-03-02T23:35:26+00:00 Geert Uytterhoeven geert+renesas@glider.be 2026-02-26T14:46:07+00:00 a9ad29b7ad6c5e36ffa543ceb3c4439e63186339 Btrfs stopped using this xxHash implementation in commit fe11ac191ce0ad91 ("btrfs: switch to library APIs for checksums"). Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://lore.kernel.org/r/3b632975201074ccaa129f4901a66aff87b19742.1772116160.git.geert+renesas@glider.be Signed-off-by: Eric Biggers <ebiggers@kernel.org> 
Btrfs stopped using this xxHash implementation in commit
fe11ac191ce0ad91 ("btrfs: switch to library APIs for checksums").

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/3b632975201074ccaa129f4901a66aff87b19742.1772116160.git.geert+renesas@glider.be
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
crypto: Clean up help text for CRYPTO_SHA256 2026-03-02T23:35:26+00:00 Geert Uytterhoeven geert+renesas@glider.be 2026-02-26T14:46:06+00:00 a70d9d655fd0549dd7cd9de437eb3fbe2e78c8ab NFS, Ceph, SMB, and Btrfs stopped using this SHA-256 implementation in commits c2c90a8b2620626c ("nfsd: use SHA-256 library API instead of crypto_shash API"), 27c0a7b05d13a0dc ("libceph: Use HMAC-SHA256 library instead of crypto_shash"), 924067ef183bd17f ("ksmbd: Use HMAC-SHA256 library for message signing and key generation"), and fe11ac191ce0ad91 ("btrfs: switch to library APIs for checksums"). Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://lore.kernel.org/r/bf8e1c229b36fc5349e29701e962d0dfd4fd21b6.1772116160.git.geert+renesas@glider.be Signed-off-by: Eric Biggers <ebiggers@kernel.org> 
NFS, Ceph, SMB, and Btrfs stopped using this SHA-256 implementation in
commits c2c90a8b2620626c ("nfsd: use SHA-256 library API instead of
crypto_shash API"), 27c0a7b05d13a0dc ("libceph: Use HMAC-SHA256 library
instead of crypto_shash"), 924067ef183bd17f ("ksmbd: Use HMAC-SHA256
library for message signing and key generation"), and fe11ac191ce0ad91
("btrfs: switch to library APIs for checksums").

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/bf8e1c229b36fc5349e29701e962d0dfd4fd21b6.1772116160.git.geert+renesas@glider.be
Signed-off-by: Eric Biggers <ebiggers@kernel.org>