Pavel Skripkin <paskripkin@xxxxxxxxx> wrote: > Syzbot was able to trigger use of uninitialized memory in > af_alg_free_resources. > > Bug is caused by missing initialization of rsgl->sgl.need_unpin before > adding to rsgl_list. Then in case of extract_iter_to_sg() failure, rsgl > is left with uninitialized need_unpin which is read during clean up Looks feasible :-). > + rsgl->sgl.need_unpin = 0; > + The blank line isn't really necessary and it's a bool, so can you use 'false' rather than '0'? Alternatively, it might be better to move: rsgl->sgl.need_unpin = iov_iter_extract_will_pin(&msg->msg_iter); up instead. David
