> OK, my response was more confusing than I intended. I meant to say. Is
> there any in kernel code that would allow the bug have had in mind?
> In other words can userspace trick any existing code?
In theory any existing caller of remap_vmalloc_range() which does
not have an explicit size check should trigger an oops, e.g. this is
a good candidate:
v4l_stk_mmap ret = remap_vmalloc_range(vma, sbuf->buffer,
Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have
buf->v4lbuf.length. mmap callback maps this buffer to the vma size and
that is indeed not enforced to be <= length AFAICS. So you are right!
Can we have an example in the changelog please?