1) 'error' is returned while it does not even hold an error code. Which
  means that zero is returned, and the kernel keeps mounting (and it
  probably ends up in a deadlock/memory corruption somewhere).
2) 'nentries' and 'gnentries' are int and user-controlled, and there's no
  check to ensure they are greater than zero. Since they are used to
  compute the size of two copyin's, a user can control the copied size
  by giving a negative value (like 128-2^29), and thus overwrite kernel
  memory.

Both triggerable from root only.

(maxv)