lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20071015103033.65b47dea.zaitcev@redhat.com>
Date:	Mon, 15 Oct 2007 10:30:33 -0700
From:	Pete Zaitcev <zaitcev@...hat.com>
To:	"Vitaliy Ivanov" <vitalivanov@...il.com>
Cc:	"Willy Tarreau" <w@....eu>, gregkh@...e.de,
	linux-usb-devel@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org, zaitcev@...hat.com
Subject: Re: [2.4 patch] Port of adutux driver from 2.6 kernel to 2.4.

On Sun, 14 Oct 2007 23:45:36 +0300, "Vitaliy Ivanov" <vitalivanov@...il.com> wrote:

> Also IMHO the more drivers are in the tree the more users will use it.
> Once it will be merged in the mainline then it will be backported to
> enterprise kernels and would gain wide usage.

At least in case of RHEL, such backports never were automatic. In any
case, RHEL 2.1 and 3 do not receive new drivers anymore. We only do
bugfixes if something comes up. Realistically speaking, 2.4 kernels
are just too old for anyone to use. So, I think it would be best for
you to think in terms of Willy's tree only.

> +	in_end_size = le16_to_cpu(dev->interrupt_in_endpoint->wMaxPacketSize);
> +	out_end_size = le16_to_cpu(dev->interrupt_out_endpoint->wMaxPacketSize);

Did you verify if this works? We use pre-swapped descriptors in 2.4.
I suspect you allocate 256 times more memory than necessary.

> +static void adu_delete(struct adu_device *dev)
> +	kfree(dev);

> +static int adu_release_internal(struct adu_device *dev)
> +	if (dev->udev == NULL) {
> +		adu_delete(dev);

> +static int adu_open(struct inode *inode, struct file *file)
> +	retval = adu_release_internal(dev);
> +	up(&dev->sem);

The above very clearly is a use-after-free, in case the device was
open across a disconnect. Solution: Use minor_table_mutex to lock
dev->open_count instead of dev->sem. There's no rule that the lock
has to live inside the same structure with members it locks.

-- Pete
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ