lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 26 May 2009 08:00:36 +1000
From:	Benjamin Herrenschmidt <benh@...nel.crashing.org>
To:	Alan Stern <stern@...land.harvard.edu>
Cc:	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel list <linux-kernel@...r.kernel.org>,
	linux-usb@...r.kernel.org
Subject: Re: Oops in usb-serial with keyspan adapter on current upstream

On Mon, 2009-05-25 at 11:17 -0400, Alan Stern wrote:
> On Mon, 25 May 2009, Benjamin Herrenschmidt wrote:
> 
> > Found it. Patch below.
> > 
> > usb-serial: Fix crash when sub-driver attach() returns positive value
> > 
> > This fixes a crash in usb-serial that typically happens with keyspan USB
> > devices, though it would happen potentially with anything that returns
> > a positive value from the subdriver's attach() method to indicate that
> > a FW was loaded and the device will disconnect and reconnect.
> > 
> > What happens is that we haven't yet initialized the struct device embedded
> > inside the struct usb_serial_port when we call "exit:" and return
> > from probe().
> > 
> > Later, when we get the disconnect() call, usb_serial_disconnect() tries
> > to do a device_del() and put_device() on all the ports, despite the fact
> > that in this case, the struct device wasn't initialized. This causes the
> > device core to crash (right, it should be more robust).
> 
> Very clever.  Does this simpler patch also fix the problem?

Well, both our patches are bogus in the sense that they will leak
the stuff in the port structure.

The right patch would be I think something like that (typing straight
in the mailer, I can do a "proper" patch later):

> Index: usb-2.6/drivers/usb/serial/usb-serial.c
> ===================================================================
> --- usb-2.6.orig/drivers/usb/serial/usb-serial.c
> +++ usb-2.6/drivers/usb/serial/usb-serial.c
> @@ -974,6 +974,7 @@ int usb_serial_probe(struct usb_interfac
>  		if (retval > 0) {
>  			/* quietly accept this device, but don't bind to a
>  			   serial port as it's about to disappear */
> +                       for (i = 0; i < serial->num_ports; i++) {
> +                               port_free(serial->port[i]);
> +                               serial_port[i] = NULL;
> +                       }
> +			serial->num_ports = 0;
>  			goto exit;
>  		}
>  	}

Cheers,
Ben.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ