Sven Schnelle <svens@xxxxxxxxxxxxx> wrote: > > I looked into this issue. What syzkaller is doing is opening an AF_ALG > socket, and sending a large message which will eventually end in -EFAULT. > Looking at the code in crypto/algif_hash.c i see that hash_sendmsg is > calling extract_iter_to_sg() -> extract_user_to_sg(). In the -EFAULT > case, this function is calling put_page(), which looks like a leftover > from the old pinning interface. I think this should be a > unpin_user_page() call now. > > However, hash_sendmsg() also unpins via af_alg_free_sg() in the error > path. From an API perspective, i would prefer if extract_user_to_sg() > does the unpinning on error. Any thoughts? Good catch, thanks. I'll whip up a patch or two for it. David
