On Thu, Jul 14, 2022 at 10:17:05PM +0800, Ning Qiang wrote: > In the vpe_write function of arch/mips/kernel/vpe.c,parameter "size_t > count" is pass by userland, if "count" is very large, it will bypass > the check of "if ((count + v->len) > v->plen)".(such as > count=0xffffffffffffffff). Then it will lead to buffer overflow in > "copy_from_user(v->pbuffer + v->len, buffer, count)". > > Signed-off-by: Ning Qiang <sohu0106@xxxxxxx> > --- Thanks! Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> regards, dan carpenter