Hello Jade Bilkey, The patch db906eb2101b: "ath5k: added debugfs file for dumping eeprom" from Aug 30, 2014, leads to the following static checker warning: drivers/net/wireless/ath/ath5k/debug.c:942 open_file_eeprom() error: buffer overflow 'buf' 2048 <= 4095 drivers/net/wireless/ath/ath5k/debug.c 905 static int open_file_eeprom(struct inode *inode, struct file *file) 906 { 907 struct eeprom_private *ep; 908 struct ath5k_hw *ah = inode->i_private; 909 bool res; 910 int i, ret; 911 u32 eesize; 912 u16 val, *buf; ^^^ buf is type u16. 913 914 /* Get eeprom size */ 915 916 res = ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_UPPER, &val); 917 if (!res) 918 return -EACCES; 919 920 if (val == 0) { 921 eesize = AR5K_EEPROM_INFO_MAX + AR5K_EEPROM_INFO_BASE; 922 } else { 923 eesize = (val & AR5K_EEPROM_SIZE_UPPER_MASK) << 924 AR5K_EEPROM_SIZE_ENDLOC_SHIFT; 925 ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_LOWER, &val); 926 eesize = eesize | val; 927 } 928 929 if (eesize > 4096) 930 return -EINVAL; 931 932 /* Create buffer and read in eeprom */ 933 934 buf = vmalloc(eesize); ^^^^^^ eesize is in bytes. 935 if (!buf) { 936 ret = -ENOMEM; 937 goto err; 938 } 939 940 for (i = 0; i < eesize; ++i) { 941 AR5K_EEPROM_READ(i, val); 942 buf[i] = val; We are writing u16 but the for loop limit is in terms of bytes so this loop will corrupt memory past the end of the buffer. 943 } 944 regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html