From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751343AbbCOGfg (ORCPT ); Sun, 15 Mar 2015 02:35:36 -0400 Received: from h1446028.stratoserver.net ([85.214.92.142]:52935 "EHLO mail.ahsoftware.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751058AbbCOGfd (ORCPT ); Sun, 15 Mar 2015 02:35:33 -0400 Message-ID: <55052828.7090701@ahsoftware.de> Date: Sun, 15 Mar 2015 07:35:20 +0100 From: Alexander Holler User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Al Viro CC: Linus Torvalds , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-usb@vger.kernel.org Subject: Re: [git pull] gadgetfs fixes References: <20150313164228.GQ29656@ZenIV.linux.org.uk> <5504D4B9.2010901@ahsoftware.de> <20150315013948.GU29656@ZenIV.linux.org.uk> In-Reply-To: <20150315013948.GU29656@ZenIV.linux.org.uk> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 15.03.2015 um 02:39 schrieb Al Viro: > On Sun, Mar 15, 2015 at 01:39:21AM +0100, Alexander Holler wrote: >> Am 13.03.2015 um 17:42 schrieb Al Viro: >>> Assorted fixes around AIO on gadgetfs: leaks, use-after-free, >>> troubles caused by ->f_op flipping. Please, pull from >>> git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git gadget >>> >>> Shortlog: >>> Al Viro (8): >>> new helper: dup_iter() >>> move iov_iter.c from mm/ to lib/ >>> gadget/function/f_fs.c: close leaks >>> gadget/function/f_fs.c: use put iov_iter into io_data >>> gadget/function/f_fs.c: switch to ->{read,write}_iter() >> >>> gadgetfs: use-after-free in ->aio_read() >> >> If that patch ends up in the stable kernels (as it is marked as such), >> it needs a >> value = -ENOMEM >> before that added "goto fail;", otherwise the return value is unitialized. > > Umm... If I'm not misparsing what you said, you are talking about the Glücklicherweise nicht. Vielleicht sollten wir es zur Abwechslung mal mit meiner bevorzugten Sprache versuchen. > one that gets removed by > - if (iv) { > - priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec), > - GFP_KERNEL); > - if (!priv->iv) { > - kfree(priv); > - goto fail; > - } > - } > in "gadget: switch ep_io_operations to ->read_iter/->write_iter" very > shortly afterwards, and _that_ is a prereq for ->f_op flipping fixes, > which is also clear -stable fodder. But yes, it's a bisect hazard and > a cherry-pick one as well. Nice catch... The following patches aren't marked for stable, otherwise I would not have risked to become a victim of your comments again. Alexander Holler