From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2] staging: line6: use after free bug requesting version
Date: Wed, 09 Jan 2013 06:25:11 +0000 [thread overview]
Message-ID: <20130109062511.GT7302@mwanda> (raw)
In-Reply-To: <20121205184452.GB18227@elgon.mountain>
On Tue, Jan 08, 2013 at 11:54:25PM +0100, Markus Grabner wrote:
> Am Donnerstag, 6. Dezember 2012, 10:08:44 schrieb Dan Carpenter:
> > On Thu, Dec 06, 2012 at 06:18:02AM +0100, Stefan Hajnoczi wrote:
> > > On Wed, Dec 5, 2012 at 7:44 PM, Dan Carpenter <dan.carpenter@oracle.com>
> wrote:
> > > > diff --git a/drivers/staging/line6/driver.c
> > > > b/drivers/staging/line6/driver.c index 8a5d89e..884e0d8 100644
> > > > --- a/drivers/staging/line6/driver.c
> > > > +++ b/drivers/staging/line6/driver.c
> > > > @@ -110,7 +110,7 @@ struct message {
> > > >
> > > > */
> > > > static void line6_data_received(struct urb *urb);
> > > > static int line6_send_raw_message_async_part(struct message *msg,
> > > >
> > > > - struct urb *urb);
> > > > + struct urb *urb, int free);
> > >
> > > s/int/bool/
> > >
> > > > /*
> > > >
> > > > Start to listen on endpoint.
> > > >
> > > > @@ -219,24 +219,42 @@ static void line6_async_request_sent(struct urb
> > > > *urb)
> > > >
> > > > usb_free_urb(urb);
> > > > kfree(msg);
> > > >
> > > > } else
> > > >
> > > > - line6_send_raw_message_async_part(msg, urb);
> > > > + line6_send_raw_message_async_part(msg, urb, 0);
> > > > +}
> > >
> > > I'd add a bool free_buffer field to struct message and simply modify
> > > line6_async_request_sent() to do:
> > >
> > > if (msg->free_buffer)
> > >
> > > kfree(msg->buffer);
> > >
> > > Then you don't need line6_async_request_sent_free_buffer() and
> > > line6_send_raw_message_async_part() doesn't need to take a bool free
> > > argument since struct message already contains that information. It
> > > would make the code simpler.
> >
> > Yeah. That's true. I'll redo it.
> Since two users reported this bug to me recently, I proposed a fix and asked
> them to test it. If it works for them, I'll prepare a patch against Stefan's
> repository. This is for your information only to avoid duplicate work in case
> you just wanted to pick this up again.
>
Crap... I'm sorry. I completely lost track of this. Please send
your patch.
regards,
dan carpenter
next prev parent reply other threads:[~2013-01-09 6:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-05 18:44 [patch 2/2] staging: line6: use after free bug requesting version Dan Carpenter
2012-12-06 5:18 ` Stefan Hajnoczi
2012-12-06 7:08 ` Dan Carpenter
2013-01-09 6:25 ` Dan Carpenter [this message]
2013-01-13 18:15 ` Markus Grabner
2013-01-13 19:36 ` Stefan Hajnoczi
2013-01-17 21:52 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2013-01-08 22:54 Markus Grabner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130109062511.GT7302@mwanda \
--to=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox