Race condition in the ecdeviceioctlxcmd function in drivers/platform/chrome/crosec_dev.c in the Linux kernel before 4.7 allows local users to cause a denial of service (out-of-bounds array access) by changing a certain size value, aka a "double fetch" vulnerability.