A crypto module loading vulnerability

Yes, its ->sendmsg() wants to play with get_user_pages_fast() (or iov_iter_get_pages() these days) and that just doesn't work for kernel pages. FWIW, we probably could teach iov_iter_get_pages() to work with ITER_BVEC - pages in these guys _are_ refcounted in normal fashion, so splice() could be doable. kernel_sendmsg(), OTOH, is probably hopeless...