On (11/07/17 12:09), Dmitry Vyukov wrote:
> > On (11/07/17 17:39), Fengguang Wu wrote:
[..]
> > devkmsg_write() does
> >
> > buf = kmalloc(len+1, GFP_KERNEL);
> > ...
> > kfree(buf);
> >
> > kasan reports that this kfree() is actually happening in unpack_to_rootfs(),
> > before we do copy_from_iter_full().
>
>
> Please ignore the free stack. For slab-out-of-bound bugs the object is
> not actually freed and KASAN prints the free stack where it was freed
> before it was re-allocated as new object.
ah, ok.
> Can that len+1 overflow? Is it checked?
hm, I don't think it overflows there.
__kernel_write()
__vfs_write()
new_sync_write()
__kernel_write() makes sure that if count > MAX_RW_COUNT then
count = MAX_RW_COUNT.
-ss
