Here's a reduced testcase for this. The key seems to be passing MSG_MORE to sendmsg() and then not following up with more data before calling recvmsg(). Apart from not oopsing, I wonder what the behaviour should be here? Should recvmsg() return an error (EAGAIN or ENODATA maybe) or should it close the existing operation? David --- // https://syzkaller.appspot.com/bug?id=f5d9d503fe959e3b605abdaeedb39b072556281a // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <unistd.h> #include <linux/if_alg.h> #define OSERROR(R, S) do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0) int main(void) { struct sockaddr_alg salg; struct msghdr msg; int algfd, hashfd, res; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); OSERROR(algfd, "socket"); memset(&salg, 0, sizeof(salg)); salg.salg_family = AF_ALG; strcpy(salg.salg_type, "hash"); strcpy(salg.salg_name, "digest_null-generic"); res = bind(algfd, (struct sockaddr *)&salg, sizeof(salg)); OSERROR(res, "bind/alg"); hashfd = accept4(algfd, NULL, 0, 0); OSERROR(hashfd, "accept/alg"); res = setsockopt(3, SOL_ALG, ALG_SET_KEY, NULL, 0); OSERROR(res, "setsockopt/ALG_SET_KEY"); memset(&msg, 0, sizeof(msg)); res = sendmsg(hashfd, &msg, MSG_MORE); OSERROR(res, "sendmsg"); res = recvmsg(hashfd, &msg, 0); OSERROR(res, "recvmsg"); return 0; }
