From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Holler Subject: Re: [git pull] gadgetfs fixes Date: Sun, 15 Mar 2015 07:35:20 +0100 Message-ID: <55052828.7090701@ahsoftware.de> References: <20150313164228.GQ29656@ZenIV.linux.org.uk> <5504D4B9.2010901@ahsoftware.de> <20150315013948.GU29656@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Linus Torvalds , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Al Viro Return-path: In-Reply-To: <20150315013948.GU29656-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> Sender: linux-usb-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org Am 15.03.2015 um 02:39 schrieb Al Viro: > On Sun, Mar 15, 2015 at 01:39:21AM +0100, Alexander Holler wrote: >> Am 13.03.2015 um 17:42 schrieb Al Viro: >>> Assorted fixes around AIO on gadgetfs: leaks, use-after-free, >>> troubles caused by ->f_op flipping. Please, pull from >>> git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git gadget >>> >>> Shortlog: >>> Al Viro (8): >>> new helper: dup_iter() >>> move iov_iter.c from mm/ to lib/ >>> gadget/function/f_fs.c: close leaks >>> gadget/function/f_fs.c: use put iov_iter into io_data >>> gadget/function/f_fs.c: switch to ->{read,write}_iter() >> >>> gadgetfs: use-after-free in ->aio_read() >> >> If that patch ends up in the stable kernels (as it is marked as such= ), >> it needs a >> value =3D -ENOMEM >> before that added "goto fail;", otherwise the return value is unitia= lized. >=20 > Umm... If I'm not misparsing what you said, you are talking about th= e Gl=FCcklicherweise nicht. Vielleicht sollten wir es zur Abwechslung mal mit meiner bevorzugten Sprache versuchen. > one that gets removed by > - if (iv) { > - priv->iv =3D kmemdup(iv, nr_segs * sizeof(struct iove= c), > - GFP_KERNEL); > - if (!priv->iv) { > - kfree(priv); > - goto fail; > - } > - } > in "gadget: switch ep_io_operations to ->read_iter/->write_iter" very > shortly afterwards, and _that_ is a prereq for ->f_op flipping fixes, > which is also clear -stable fodder. But yes, it's a bisect hazard an= d > a cherry-pick one as well. Nice catch... The following patches aren't marked for stable, otherwise I would not have risked to become a victim of your comments again. Alexander Holler -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html