On 09/22/2015 08:47 AM, Alexander Shishkin wrote:
> +static ssize_t stm_char_write(struct file *file, const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct stm_file *stmf = file->private_data;
> + struct stm_device *stm = stmf->stm;
> + char *kbuf;
> + int err;
> +
> + /*
> + * if no m/c have been assigned to this writer up to this
> + * point, use "default" policy entry
> + */
> + if (!stmf->output.nr_chans) {
> + err = stm_file_assign(stmf, "default", 1);
> + /*
> + * EBUSY means that somebody else just assigned this
> + * output, which is just fine for write()
> + */
> + if (err && err != -EBUSY)
> + return err;
> + }
> +
> + kbuf = kmalloc(count + 1, GFP_KERNEL);
This bit allows for user-controllable kmalloc() allocation lengths, including
a possible overflow.
Thanks,
Sasha