| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4A017B2B.1050906@windriver.com>
Date: Wed, 06 May 2009 06:57:31 -0500
From: Jason Wessel <jason.wessel@...driver.com>
To: Oliver Neukum <oliver@...kum.org>
CC: greg@...ah.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/5] usb_debug: implement multi urb write
Oliver Neukum wrote:
> Am Mittwoch, 6. Mai 2009 04:00:01 schrieb Jason Wessel:
>
> in static void usb_debug_write_bulk_callback(struct urb *urb)
>
>> + if (status) {
>> + dbg("nonzero write bulk status received: %d", status);
>> + return;
>> + }
>>
>
> [..]
>
>> + spin_lock_irqsave(&priv->tx_lock, flags);
>> + --priv->tx_outstanding_urbs;
>> + spin_unlock_irqrestore(&priv->tx_lock, flags);
>>
>
> That's a clear bug. If a URB finishes, you must decrease the counter, always
> and without exception, even if status indicates an error.
>
>
Thanks Oliver,
I would agree with you on that. It also means that the ftdi_sio.c
driver has the same bug, because that is where it was derived from. You
led me to see another flaw upon further inspection in that the usb_debug
driver must also implement the chars_in_buffer() call back because the
generic serial code will cause an oops with a null pointer dereference
of the write_urb.
Cheers,
Jason.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists