CVE-2026-46081

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: acomp - fix wrong pointer stored by acomp_save_req()<br /> <br /> acomp_save_req() stores &amp;req-&gt;chain in req-&gt;base.data. When<br /> acomp_reqchain_done() is invoked on asynchronous completion, it receives<br /> &amp;req-&gt;chain as the data argument but casts it directly to struct<br /> acomp_req. Since data points to the chain member, all subsequent field<br /> accesses are at a wrong offset, resulting in memory corruption.<br /> <br /> The issue occurs when an asynchronous hardware implementation, such as<br /> the QAT driver, completes a request that uses the DMA virtual address<br /> interface (e.g. acomp_request_set_src_dma()). This combination causes<br /> crypto_acomp_compress() to enter the acomp_do_req_chain() path, which<br /> sets acomp_reqchain_done() as the completion callback via<br /> acomp_save_req().<br /> <br /> With KASAN enabled, this manifests as a general protection fault in<br /> acomp_reqchain_done():<br /> <br /> general protection fault, probably for non-canonical address 0xe000040000000000<br /> KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007]<br /> RIP: 0010:acomp_reqchain_done+0x15b/0x4e0<br /> Call Trace:<br /> <br /> qat_comp_alg_callback+0x5d/0xa0 [intel_qat]<br /> adf_ring_response_handler+0x376/0x8b0 [intel_qat]<br /> adf_response_handler+0x60/0x170 [intel_qat]<br /> tasklet_action_common+0x223/0x820<br /> handle_softirqs+0x1ab/0x640<br /> <br /> <br /> Fix this by storing the request itself in req-&gt;base.data instead of<br /> &amp;req-&gt;chain, so that acomp_reqchain_done() receives the correct pointer.<br /> Simplify acomp_restore_req() accordingly to access req-&gt;chain directly.