[PATCH v2] staging: vc04_services: rework ioctl code path
Dan Carpenter
dan.carpenter at oracle.com
Mon Nov 14 01:48:57 PST 2016
On Thu, Nov 10, 2016 at 10:15:31PM -0800, Michael Zoran wrote:
> +static void *
> +vchiq_ioctl_kmalloc(struct vchiq_ioctl_call_context *ctxt, size_t size)
> +{
> + void *mem;
> +
> + if (!ctxt->stackmem_used && size < sizeof(ctxt->stackmem)) {
> + ctxt->stackmem_used = true;
> + return ctxt->stackmem;
> + }
> +
> + mem = kmalloc(size + sizeof(void *), GFP_KERNEL);
This is a potential integer overflow leading to corruption. I don't
understand why we need this complicated memory management anyway...
> + if (!mem)
> + return NULL;
> +
> + *(void **)mem = ctxt->prev_kmalloc;
> + ctxt->prev_kmalloc = mem;
> +
> + return mem + sizeof(void *);
> +}
regards,
dan carpenter
More information about the linux-rpi-kernel
mailing list