From: David Brownell <david-b@pacbell.net>
To: Greg KH <greg@kroah.com>, viro@parcelfarce.linux.theplanet.co.uk
Cc: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>,
Al Viro <viro@math.psu.edu>, Linus Torvalds <torvalds@osdl.org>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: Finding user/kernel pointer bugs [no html]
Date: Thu, 10 Jun 2004 10:27:50 -0700 [thread overview]
Message-ID: <40C89A16.8030301@pacbell.net> (raw)
In-Reply-To: <20040610165821.GB32577@kroah.com>
Greg KH wrote:
> On Thu, Jun 10, 2004 at 05:49:03AM +0100, viro@parcelfarce.linux.theplanet.co.uk wrote:
>>272 is interesting - it's in
>>static void async_completed(struct urb *urb, struct pt_regs *regs)
>>{
>> ...
>>}
>>and it brings two questions:
>> a) shouldn't ->si_addr be a __user pointer (in all contexts I see
>>it is one)
>> b) WTF is usb doing messing with it directly?
>>Note that drivers/usb/core/{devio,inode}.c are the only users of that animal
>>outside of arch/*. Looks fishy...
>
>
> I really don't know. I think David added that code. David, any ideas?
Not me. I think that's the original code from Thomas Sailer;
I've never touched the usbfs AIO core. (Maybe you're thinking
of some oops-on-disconnect fixups I did, forcing completions
on all the usbfs-internal async requests. That's now done in
usbcore.)
Speaking of AIO, I've been thinking I should submit that
gadgetfs AIO support for 2.6.7+ kernels. It's amazing what
can be done with that small an amount of code ... and IMO
that's the right model to use for stuff like this. I'll
re-test first, on the off chance it broke recently.
- Dave
next prev parent reply other threads:[~2004-06-10 17:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-10 3:31 Finding user/kernel pointer bugs [no html] Robert T. Johnson
2004-06-10 4:10 ` Linus Torvalds
2004-06-10 4:48 ` Robert T. Johnson
2004-06-10 14:46 ` Linus Torvalds
2004-06-10 16:57 ` viro
2004-06-10 15:07 ` Timothy Miller
2004-06-10 15:04 ` Linus Torvalds
2004-06-10 15:26 ` Timothy Miller
2004-06-10 4:49 ` viro
2004-06-10 5:20 ` Robert T. Johnson
2004-06-10 16:58 ` Greg KH
2004-06-10 17:27 ` David Brownell [this message]
2004-06-10 17:35 ` Greg KH
2004-06-10 17:54 ` Thomas Sailer
2004-06-10 18:34 ` Greg KH
2004-06-10 18:45 ` viro
2004-06-10 18:54 ` Greg KH
2004-06-10 19:10 ` Greg KH
2005-05-19 6:25 ` Greg KH
2004-06-10 19:14 ` viro
2005-05-19 6:25 ` viro
2004-06-10 19:32 ` Greg KH
2005-05-19 6:25 ` Greg KH
2004-06-10 19:38 ` viro
2005-05-19 6:25 ` viro
2004-06-10 20:28 ` Sam Ravnborg
2005-05-19 6:25 ` Sam Ravnborg
2004-06-10 20:48 ` Randy.Dunlap
2005-05-19 6:25 ` Randy.Dunlap
2004-06-11 17:21 ` Jean Delvare
2005-05-19 6:25 ` Jean Delvare
2004-06-11 17:59 ` Greg KH
2005-05-19 6:25 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40C89A16.8030301@pacbell.net \
--to=david-b@pacbell.net \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rtjohnso@eecs.berkeley.edu \
--cc=torvalds@osdl.org \
--cc=viro@math.psu.edu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.