From: Markus Grabner <grabner@icg.tugraz.at>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] staging: line6: fix use-after-free bug
Date: Sat, 19 Jan 2013 21:55:29 +0000 [thread overview]
Message-ID: <2422303.mrq2T2uPb1@medialab> (raw)
In-Reply-To: <1358545934-13982-1-git-send-email-grabner@icg.tugraz.at>
Am Freitag, 18. Januar 2013, 16:57:31 schrieb Greg Kroah-Hartman:
> On Fri, Jan 18, 2013 at 10:52:14PM +0100, Markus Grabner wrote:
> > The function "line6_send_raw_message_async" now has an additional argument
> > "bool copy", which indicates whether the supplied buffer should be copied
> > into a dynamically allocated block of memory. The copy flag is also
> > stored in the "message" struct such that the temporary memory can be
> > freed when appropriate without intervention of the caller.
>
> Why do this? Why not either always copy it, or always not?
Some messages are sent to the device which have no parameters, they are
declared at global scope as constant byte arrays and therefore must be copied
into a dynamically allocated block of memory in order to be sent over the USB
interface. On the other hand, there are messages which do have parameters and
which are composed in dynamically allocated memory and can therefore directly
be sent without copying.
> What is this fixing?
Two users reported to me independently that the driver doesn't work for them.
I couldn't reproduce the problem since it seems to be triggered by subtle
timing issues in the system, but after some further investigations, the
kfree() of the message buffer immediately after submitting the message for
asynchronous transmission was clearly identified as the reason for the driver
not working. The patch puts the kfree() at the right place and (hopefully)
prevents incorrect use of the new buffer copy feature. The patch is tested by
me and the users who initially reported the bug, and they confirmed that the
issue is fixed for them.
If anybody has a better idea how to fix this, please go ahead! The patch might
also become obsolete in the future due to refactoring. But currently there is
a bug which prevents some people from using the driver at all, and this should
be fixed soon IMO.
Kind regards,
Markus
next prev parent reply other threads:[~2013-01-19 21:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-18 21:52 [PATCH] staging: line6: fix use-after-free bug Markus Grabner
2013-01-19 0:57 ` Greg Kroah-Hartman
2013-01-19 21:55 ` Markus Grabner [this message]
2013-01-20 17:11 ` Greg Kroah-Hartman
2013-01-20 22:51 ` Markus Grabner
2013-01-20 23:04 ` Greg Kroah-Hartman
2013-06-03 22:49 ` Markus Grabner
2013-06-03 23:08 ` Greg Kroah-Hartman
2013-06-04 20:10 ` Markus Grabner
2013-06-19 16:40 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2422303.mrq2T2uPb1@medialab \
--to=grabner@icg.tugraz.at \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox