On Thu, Nov 10, 2016 at 10:15:31PM -0800, Michael Zoran wrote:
> +static void *
> +vchiq_ioctl_kmalloc(struct vchiq_ioctl_call_context *ctxt, size_t size)
> +{
> + void *mem;
> +
> + if (!ctxt->stackmem_used && size < sizeof(ctxt->stackmem)) {
> + ctxt->stackmem_used = true;
> + return ctxt->stackmem;
> + }
> +
> + mem = kmalloc(size + sizeof(void *), GFP_KERNEL);
This is a potential integer overflow leading to corruption. I don't
understand why we need this complicated memory management anyway...
> + if (!mem)
> + return NULL;
> +
> + *(void **)mem = ctxt->prev_kmalloc;
> + ctxt->prev_kmalloc = mem;
> +
> + return mem + sizeof(void *);
> +}
regards,
dan carpenter
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
