From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] staging: line6: fix use-after-free bug
Date: Sun, 20 Jan 2013 17:11:50 +0000 [thread overview]
Message-ID: <20130120171150.GA3896@kroah.com> (raw)
In-Reply-To: <1358545934-13982-1-git-send-email-grabner@icg.tugraz.at>
On Sat, Jan 19, 2013 at 10:55:29PM +0100, Markus Grabner wrote:
> Am Freitag, 18. Januar 2013, 16:57:31 schrieb Greg Kroah-Hartman:
> > On Fri, Jan 18, 2013 at 10:52:14PM +0100, Markus Grabner wrote:
> > > The function "line6_send_raw_message_async" now has an additional argument
> > > "bool copy", which indicates whether the supplied buffer should be copied
> > > into a dynamically allocated block of memory. The copy flag is also
> > > stored in the "message" struct such that the temporary memory can be
> > > freed when appropriate without intervention of the caller.
> >
> > Why do this? Why not either always copy it, or always not?
> Some messages are sent to the device which have no parameters, they are
> declared at global scope as constant byte arrays and therefore must be copied
> into a dynamically allocated block of memory in order to be sent over the USB
> interface. On the other hand, there are messages which do have parameters and
> which are composed in dynamically allocated memory and can therefore directly
> be sent without copying.
Then if you always copy the memory, and "own" it after the call, you
should be fine, right?
> > What is this fixing?
> Two users reported to me independently that the driver doesn't work for them.
> I couldn't reproduce the problem since it seems to be triggered by subtle
> timing issues in the system, but after some further investigations, the
> kfree() of the message buffer immediately after submitting the message for
> asynchronous transmission was clearly identified as the reason for the driver
> not working. The patch puts the kfree() at the right place and (hopefully)
> prevents incorrect use of the new buffer copy feature. The patch is tested by
> me and the users who initially reported the bug, and they confirmed that the
> issue is fixed for them.
>
> If anybody has a better idea how to fix this, please go ahead! The patch might
> also become obsolete in the future due to refactoring. But currently there is
> a bug which prevents some people from using the driver at all, and this should
> be fixed soon IMO.
I agree, it should be fixed, but having the code always do the copy and
manage the memory, and not have the crazy "flag" option, should solve
the bug for everyone.
thanks,
greg k-h
next prev parent reply other threads:[~2013-01-20 17:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-18 21:52 [PATCH] staging: line6: fix use-after-free bug Markus Grabner
2013-01-19 0:57 ` Greg Kroah-Hartman
2013-01-19 21:55 ` Markus Grabner
2013-01-20 17:11 ` Greg Kroah-Hartman [this message]
2013-01-20 22:51 ` Markus Grabner
2013-01-20 23:04 ` Greg Kroah-Hartman
2013-06-03 22:49 ` Markus Grabner
2013-06-03 23:08 ` Greg Kroah-Hartman
2013-06-04 20:10 ` Markus Grabner
2013-06-19 16:40 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130120171150.GA3896@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.