From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] staging: line6: fix use-after-free bug
Date: Sun, 20 Jan 2013 17:11:50 +0000 [thread overview]
Message-ID: <20130120171150.GA3896@kroah.com> (raw)
In-Reply-To: <1358545934-13982-1-git-send-email-grabner@icg.tugraz.at>
On Sat, Jan 19, 2013 at 10:55:29PM +0100, Markus Grabner wrote:
> Am Freitag, 18. Januar 2013, 16:57:31 schrieb Greg Kroah-Hartman:
> > On Fri, Jan 18, 2013 at 10:52:14PM +0100, Markus Grabner wrote:
> > > The function "line6_send_raw_message_async" now has an additional argument
> > > "bool copy", which indicates whether the supplied buffer should be copied
> > > into a dynamically allocated block of memory. The copy flag is also
> > > stored in the "message" struct such that the temporary memory can be
> > > freed when appropriate without intervention of the caller.
> >
> > Why do this? Why not either always copy it, or always not?
> Some messages are sent to the device which have no parameters, they are
> declared at global scope as constant byte arrays and therefore must be copied
> into a dynamically allocated block of memory in order to be sent over the USB
> interface. On the other hand, there are messages which do have parameters and
> which are composed in dynamically allocated memory and can therefore directly
> be sent without copying.
Then if you always copy the memory, and "own" it after the call, you
should be fine, right?
> > What is this fixing?
> Two users reported to me independently that the driver doesn't work for them.
> I couldn't reproduce the problem since it seems to be triggered by subtle
> timing issues in the system, but after some further investigations, the
> kfree() of the message buffer immediately after submitting the message for
> asynchronous transmission was clearly identified as the reason for the driver
> not working. The patch puts the kfree() at the right place and (hopefully)
> prevents incorrect use of the new buffer copy feature. The patch is tested by
> me and the users who initially reported the bug, and they confirmed that the
> issue is fixed for them.
>
> If anybody has a better idea how to fix this, please go ahead! The patch might
> also become obsolete in the future due to refactoring. But currently there is
> a bug which prevents some people from using the driver at all, and this should
> be fixed soon IMO.
I agree, it should be fixed, but having the code always do the copy and
manage the memory, and not have the crazy "flag" option, should solve
the bug for everyone.
thanks,
greg k-h
next prev parent reply other threads:[~2013-01-20 17:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-18 21:52 [PATCH] staging: line6: fix use-after-free bug Markus Grabner
2013-01-19 0:57 ` Greg Kroah-Hartman
2013-01-19 21:55 ` Markus Grabner
2013-01-20 17:11 ` Greg Kroah-Hartman [this message]
2013-01-20 22:51 ` Markus Grabner
2013-01-20 23:04 ` Greg Kroah-Hartman
2013-06-03 22:49 ` Markus Grabner
2013-06-03 23:08 ` Greg Kroah-Hartman
2013-06-04 20:10 ` Markus Grabner
2013-06-19 16:40 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130120171150.GA3896@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox