[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1192542533.29039.58.camel@dell1.softservecom.com>
Date: Tue, 16 Oct 2007 16:48:54 +0300
From: Vitaliy Ivanov <vitalivanov@...il.com>
To: Pete Zaitcev <zaitcev@...hat.com>
Cc: Willy Tarreau <w@....eu>, gregkh@...e.de,
linux-usb-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: [2.4 patch] Port of adutux driver from 2.6 kernel to 2.4.
Pete,
On Mon, 2007-10-15 at 20:30, Pete Zaitcev wrote:
> > + in_end_size = le16_to_cpu(dev->interrupt_in_endpoint->wMaxPacketSize);
> > + out_end_size = le16_to_cpu(dev->interrupt_out_endpoint->wMaxPacketSize);
>
> Did you verify if this works? We use pre-swapped descriptors in 2.4.
> I suspect you allocate 256 times more memory than necessary.
Just checked. Seems to be OK. At least printk shows shows it.
>
> > +static void adu_delete(struct adu_device *dev)
> > + kfree(dev);
>
> > +static int adu_release_internal(struct adu_device *dev)
> > + if (dev->udev == NULL) {
> > + adu_delete(dev);
>
> > +static int adu_open(struct inode *inode, struct file *file)
> > + retval = adu_release_internal(dev);
> > + up(&dev->sem);
>
> The above very clearly is a use-after-free, in case the device was
> open across a disconnect. Solution: Use minor_table_mutex to lock
> dev->open_count instead of dev->sem. There's no rule that the lock
> has to live inside the same structure with members it locks.
Yeah. You are right. Found similar issue in adu_release also.
It's a problem with 2.6 kernel driver.
So, I've got a material to create some fixes in 2.6 driver too.
I've reworked the code to avoid this issue.
Sending final patch as a reply to Willy's mail. Please check it.
Vitaliy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists