* [PATCH] line6: Use kmemdup rather than duplicating its implementation @ 2012-12-03 13:20 Laurent Navet 2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi 0 siblings, 1 reply; 5+ messages in thread From: Laurent Navet @ 2012-12-03 13:20 UTC (permalink / raw) To: devel Cc: line6linux-devel, kernel-janitors, linux-kernel, gregkh, Laurent Navet staging: line6: driver.c The semantic patch that makes this output is available in scripts/coccinelle/api/memdup.cocci. Signed-off-by: Laurent Navet <laurent.navet@gmail.com> --- drivers/staging/line6/driver.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c index f5c19b2..e1d6241 100644 --- a/drivers/staging/line6/driver.c +++ b/drivers/staging/line6/driver.c @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6) char *buffer; int retval; - buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC); + buffer = kmemdup(line6_request_version, + sizeof(line6_request_version), GFP_ATOMIC); if (buffer == NULL) { dev_err(line6->ifcdev, "Out of memory"); return -ENOMEM; } - memcpy(buffer, line6_request_version, sizeof(line6_request_version)); - retval = line6_send_raw_message_async(line6, buffer, sizeof(line6_request_version)); kfree(buffer); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation 2012-12-03 13:20 [PATCH] line6: Use kmemdup rather than duplicating its implementation Laurent Navet @ 2012-12-03 16:34 ` Stefan Hajnoczi 2012-12-04 21:22 ` Markus Grabner 2012-12-04 22:25 ` Dan Carpenter 0 siblings, 2 replies; 5+ messages in thread From: Stefan Hajnoczi @ 2012-12-03 16:34 UTC (permalink / raw) To: Laurent Navet Cc: devel, Greg Kroah-Hartman, line6linux-devel, kernel-janitors, linux-kernel On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> wrote: > staging: line6: driver.c > The semantic patch that makes this output is available > in scripts/coccinelle/api/memdup.cocci. > > Signed-off-by: Laurent Navet <laurent.navet@gmail.com> > --- > drivers/staging/line6/driver.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c > index f5c19b2..e1d6241 100644 > --- a/drivers/staging/line6/driver.c > +++ b/drivers/staging/line6/driver.c > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6) > char *buffer; > int retval; > > - buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC); > + buffer = kmemdup(line6_request_version, > + sizeof(line6_request_version), GFP_ATOMIC); > if (buffer == NULL) { > dev_err(line6->ifcdev, "Out of memory"); > return -ENOMEM; > } > > - memcpy(buffer, line6_request_version, sizeof(line6_request_version)); > - > retval = line6_send_raw_message_async(line6, buffer, > sizeof(line6_request_version)); > kfree(buffer); > -- > 1.7.10.4 Your change is fine but I'm not sure whether we should allocate memory in the first place: line6_send_raw_message_async() returns before the transfer is complete. It submits one or more URBs but I cannot see a guarantee that the buffer is no longer needed. It seems unsafe to kfree(buffer) before the request is complete. Since we already have const char line6_request_version[] we should pass it directly without a temporary kmemdup() buffer. Stefan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation 2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi @ 2012-12-04 21:22 ` Markus Grabner 2012-12-04 21:29 ` Greg Kroah-Hartman 2012-12-04 22:25 ` Dan Carpenter 1 sibling, 1 reply; 5+ messages in thread From: Markus Grabner @ 2012-12-04 21:22 UTC (permalink / raw) To: line6linux-devel Cc: Stefan Hajnoczi, Laurent Navet, devel, Greg Kroah-Hartman, kernel-janitors, linux-kernel Am Montag, 3. Dezember 2012, 17:34:07 schrieb Stefan Hajnoczi: > On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> wrote: > > staging: line6: driver.c > > > > The semantic patch that makes this output is available > > in scripts/coccinelle/api/memdup.cocci. > > > > Signed-off-by: Laurent Navet <laurent.navet@gmail.com> > > --- > > > > drivers/staging/line6/driver.c | 5 ++--- > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/staging/line6/driver.c > > b/drivers/staging/line6/driver.c index f5c19b2..e1d6241 100644 > > --- a/drivers/staging/line6/driver.c > > +++ b/drivers/staging/line6/driver.c > > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 > > *line6)> > > char *buffer; > > int retval; > > > > - buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC); > > + buffer = kmemdup(line6_request_version, > > + sizeof(line6_request_version), GFP_ATOMIC); > > > > if (buffer == NULL) { > > > > dev_err(line6->ifcdev, "Out of memory"); > > return -ENOMEM; > > > > } > > > > - memcpy(buffer, line6_request_version, > > sizeof(line6_request_version)); - > > > > retval = line6_send_raw_message_async(line6, buffer, > > > > sizeof(line6_request_version > > )); > > > > kfree(buffer); > > > > -- > > 1.7.10.4 > > Your change is fine but I'm not sure whether we should allocate memory > in the first place: I can't remember the precise reason for this copy operation, it was related to which type of memory is allowed for a URB data block, and memory declared with "static const char[]" at global scope in the driver is not allowed. I just verified on my system (kernel 3.4.11) that requesting the device's firmware version doesn't work when passing the line6_request_version pointer directly (instead of its kmemdup copy), so I think the kmemdup is necessary here. It's a bit unsatisfactory to make a copy just because the original data is not accessible for whatever reason, but I don't know of a better solution. Maybe somebody else can clarify this or propose an alternative method? Kind regards, Markus ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation 2012-12-04 21:22 ` Markus Grabner @ 2012-12-04 21:29 ` Greg Kroah-Hartman 0 siblings, 0 replies; 5+ messages in thread From: Greg Kroah-Hartman @ 2012-12-04 21:29 UTC (permalink / raw) To: Markus Grabner Cc: line6linux-devel, devel, Stefan Hajnoczi, kernel-janitors, linux-kernel, Laurent Navet On Tue, Dec 04, 2012 at 10:22:12PM +0100, Markus Grabner wrote: > Am Montag, 3. Dezember 2012, 17:34:07 schrieb Stefan Hajnoczi: > > On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> > wrote: > > > staging: line6: driver.c > > > > > > The semantic patch that makes this output is available > > > in scripts/coccinelle/api/memdup.cocci. > > > > > > Signed-off-by: Laurent Navet <laurent.navet@gmail.com> > > > --- > > > > > > drivers/staging/line6/driver.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > diff --git a/drivers/staging/line6/driver.c > > > b/drivers/staging/line6/driver.c index f5c19b2..e1d6241 100644 > > > --- a/drivers/staging/line6/driver.c > > > +++ b/drivers/staging/line6/driver.c > > > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 > > > *line6)> > > > char *buffer; > > > int retval; > > > > > > - buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC); > > > + buffer = kmemdup(line6_request_version, > > > + sizeof(line6_request_version), GFP_ATOMIC); > > > > > > if (buffer == NULL) { > > > > > > dev_err(line6->ifcdev, "Out of memory"); > > > return -ENOMEM; > > > > > > } > > > > > > - memcpy(buffer, line6_request_version, > > > sizeof(line6_request_version)); - > > > > > > retval = line6_send_raw_message_async(line6, buffer, > > > > > > sizeof(line6_request_version > > > )); > > > > > > kfree(buffer); > > > > > > -- > > > 1.7.10.4 > > > > Your change is fine but I'm not sure whether we should allocate memory > > in the first place: > I can't remember the precise reason for this copy operation, it was related to > which type of memory is allowed for a URB data block, and memory declared with > "static const char[]" at global scope in the driver is not allowed. I just > verified on my system (kernel 3.4.11) that requesting the device's firmware > version doesn't work when passing the line6_request_version pointer directly > (instead of its kmemdup copy), so I think the kmemdup is necessary here. It's > a bit unsatisfactory to make a copy just because the original data is not > accessible for whatever reason, but I don't know of a better solution. Maybe > somebody else can clarify this or propose an alternative method? Yes, all data sent to the USB bus must be dynamically created, so kmemdup is correct to use here. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation 2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi 2012-12-04 21:22 ` Markus Grabner @ 2012-12-04 22:25 ` Dan Carpenter 1 sibling, 0 replies; 5+ messages in thread From: Dan Carpenter @ 2012-12-04 22:25 UTC (permalink / raw) To: Stefan Hajnoczi Cc: Laurent Navet, devel, Greg Kroah-Hartman, line6linux-devel, kernel-janitors, linux-kernel On Mon, Dec 03, 2012 at 05:34:07PM +0100, Stefan Hajnoczi wrote: > On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> wrote: > > staging: line6: driver.c > > The semantic patch that makes this output is available > > in scripts/coccinelle/api/memdup.cocci. > > > > Signed-off-by: Laurent Navet <laurent.navet@gmail.com> > > --- > > drivers/staging/line6/driver.c | 5 ++--- > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c > > index f5c19b2..e1d6241 100644 > > --- a/drivers/staging/line6/driver.c > > +++ b/drivers/staging/line6/driver.c > > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6) > > char *buffer; > > int retval; > > > > - buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC); > > + buffer = kmemdup(line6_request_version, > > + sizeof(line6_request_version), GFP_ATOMIC); > > if (buffer == NULL) { > > dev_err(line6->ifcdev, "Out of memory"); > > return -ENOMEM; > > } > > > > - memcpy(buffer, line6_request_version, sizeof(line6_request_version)); > > - > > retval = line6_send_raw_message_async(line6, buffer, > > sizeof(line6_request_version)); > > kfree(buffer); > > -- > > 1.7.10.4 > > Your change is fine but I'm not sure whether we should allocate memory > in the first place: > > line6_send_raw_message_async() returns before the transfer is > complete. It submits one or more URBs but I cannot see a guarantee > that the buffer is no longer needed. It seems unsafe to kfree(buffer) > before the request is complete. > As Greg pointed out we do need to allocate the memory to make DMA work. But you're right that it is a use after free bug. We should move the kfree(msg->buffer) to inside line6_async_request_sent(). I can send a fix for this tomorrow or if someone else wants to do it while I'm sleeping that's fine too. :) regards, dan carpenter ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-12-04 22:25 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-12-03 13:20 [PATCH] line6: Use kmemdup rather than duplicating its implementation Laurent Navet 2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi 2012-12-04 21:22 ` Markus Grabner 2012-12-04 21:29 ` Greg Kroah-Hartman 2012-12-04 22:25 ` Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).