On Tue, Jun 02, 2026 at 02:26:46PM +0300, Andy Shevchenko wrote: > On Thu, May 21, 2026 at 06:33:14AM -0700, Kees Cook wrote: > > > > param_array_get() appends each element's string representation into the > > shared sysfs page buffer by passing buffer + off to the element getter. > > > > That works for getters that only write a small bounded string, but > > param_get_charp() and similar helpers format against PAGE_SIZE from the > > pointer they receive. Once off is non-zero, an element getter can > > therefore write past the end of the original sysfs page buffer. > > > > Collect each element into a temporary PAGE_SIZE buffer first and then > > copy only the remaining space into the caller's page buffer. > > ... > > > + elem_buf = kmalloc(PAGE_SIZE, GFP_KERNEL); > > get_free_page() (or how it is called)?
I thought modern mm guidance was to use kmalloc whenever possible and not use get_free_page() unless you intend to use the struct page bits? Jason
