Note it's possible to trigger a kernel panic by passing a junk
   pointer in the 'fingerprint' member of the parameters, but then again
   that's true for anything that copies in data from a userland-supplied
   pointer. And we have plenty of those.


this seems bogus.  what "plenty of those" are you referencing?  i'm
not aware of any off hand and while restricted to root helps a bunch
we should fail these requests instead of panicing.  they are bugs to
be fixed.

i'm curious why the kernel would be dereferencing an kernel address
that userland supplied, instead of a userland address... when does
userland know kernel addresses like this?  besides LKMs.


.mrg.