On Mon, 2017-10-09 at 13:31 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: [...] > From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream. > > The user buffer has "uurb->buffer_length" bytes. If the kernel has more > information than that, we should truncate it instead of writing past > the end of the user's buffer. I added a WARN_ONCE() to help the user > debug the issue. [...] Users should not be able to provoke a WARN_ON at will, that's a DoS (log spam, possible panic). And this truncated user buffer length is also used for allocation of the kernel buffer. Are you totally sure that this can't result in a kernel buffer overrun (or leak)? This fix seems worse than continuing to allow userspace to shoot itself in the foot. Ben. -- Ben Hutchings Software Developer, Codethink Ltd.