From the Red Hat bugzilla entries [1, 2]:
The ghash_update function passes a pointer to gf128mul_4k_lle which will be
NULL if ghash_setkey is not called or if the most recent call to ghash_setkey
failed to allocate memory. This causes an oops. Fix this up by returning an
error code in the null case.
This is trivially triggered from unprivileged userspace through the AF_ALG
interface by simply writing to the socket without setting a key.
The ghash_final function has a similar issue, but triggering it requires a
memory allocation failure in ghash_setkey _after_ at least one successful call
CVE-2011-4077: A flaw was found in the way Linux kernel's XFS filesystem implementation
handled links with pathname larger than MAXPATHLEN. When CONFIG_XFS_DEBUG
configuration option was not enabled when compiling Linux kernel, an attacker
able to mount malicious XFS image could use this flaw to crash the system, or
potentially, elevate his privileges on that system.