linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] line6: Use kmemdup rather than duplicating its implementation
@ 2012-12-03 13:20 Laurent Navet
  2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi
  0 siblings, 1 reply; 5+ messages in thread
From: Laurent Navet @ 2012-12-03 13:20 UTC (permalink / raw)
  To: devel
  Cc: line6linux-devel, kernel-janitors, linux-kernel, gregkh, Laurent Navet

staging: line6: driver.c
 The semantic patch that makes this output is available
 in scripts/coccinelle/api/memdup.cocci.

Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
---
 drivers/staging/line6/driver.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c
index f5c19b2..e1d6241 100644
--- a/drivers/staging/line6/driver.c
+++ b/drivers/staging/line6/driver.c
@@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6)
 	char *buffer;
 	int retval;
 
-	buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC);
+	buffer = kmemdup(line6_request_version,
+			sizeof(line6_request_version), GFP_ATOMIC);
 	if (buffer == NULL) {
 		dev_err(line6->ifcdev, "Out of memory");
 		return -ENOMEM;
 	}
 
-	memcpy(buffer, line6_request_version, sizeof(line6_request_version));
-
 	retval = line6_send_raw_message_async(line6, buffer,
 					      sizeof(line6_request_version));
 	kfree(buffer);
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation
  2012-12-03 13:20 [PATCH] line6: Use kmemdup rather than duplicating its implementation Laurent Navet
@ 2012-12-03 16:34 ` Stefan Hajnoczi
  2012-12-04 21:22   ` Markus Grabner
  2012-12-04 22:25   ` Dan Carpenter
  0 siblings, 2 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2012-12-03 16:34 UTC (permalink / raw)
  To: Laurent Navet
  Cc: devel, Greg Kroah-Hartman, line6linux-devel, kernel-janitors,
	linux-kernel

On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> wrote:
> staging: line6: driver.c
>  The semantic patch that makes this output is available
>  in scripts/coccinelle/api/memdup.cocci.
>
> Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
> ---
>  drivers/staging/line6/driver.c |    5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c
> index f5c19b2..e1d6241 100644
> --- a/drivers/staging/line6/driver.c
> +++ b/drivers/staging/line6/driver.c
> @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6)
>         char *buffer;
>         int retval;
>
> -       buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC);
> +       buffer = kmemdup(line6_request_version,
> +                       sizeof(line6_request_version), GFP_ATOMIC);
>         if (buffer == NULL) {
>                 dev_err(line6->ifcdev, "Out of memory");
>                 return -ENOMEM;
>         }
>
> -       memcpy(buffer, line6_request_version, sizeof(line6_request_version));
> -
>         retval = line6_send_raw_message_async(line6, buffer,
>                                               sizeof(line6_request_version));
>         kfree(buffer);
> --
> 1.7.10.4

Your change is fine but I'm not sure whether we should allocate memory
in the first place:

line6_send_raw_message_async() returns before the transfer is
complete.  It submits one or more URBs but I cannot see a guarantee
that the buffer is no longer needed.  It seems unsafe to kfree(buffer)
before the request is complete.

Since we already have const char line6_request_version[] we should
pass it directly without a temporary kmemdup() buffer.

Stefan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation
  2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi
@ 2012-12-04 21:22   ` Markus Grabner
  2012-12-04 21:29     ` Greg Kroah-Hartman
  2012-12-04 22:25   ` Dan Carpenter
  1 sibling, 1 reply; 5+ messages in thread
From: Markus Grabner @ 2012-12-04 21:22 UTC (permalink / raw)
  To: line6linux-devel
  Cc: Stefan Hajnoczi, Laurent Navet, devel, Greg Kroah-Hartman,
	kernel-janitors, linux-kernel

Am Montag, 3. Dezember 2012, 17:34:07 schrieb Stefan Hajnoczi:
> On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> 
wrote:
> > staging: line6: driver.c
> > 
> >  The semantic patch that makes this output is available
> >  in scripts/coccinelle/api/memdup.cocci.
> > 
> > Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
> > ---
> > 
> >  drivers/staging/line6/driver.c |    5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/staging/line6/driver.c
> > b/drivers/staging/line6/driver.c index f5c19b2..e1d6241 100644
> > --- a/drivers/staging/line6/driver.c
> > +++ b/drivers/staging/line6/driver.c
> > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6
> > *line6)> 
> >         char *buffer;
> >         int retval;
> > 
> > -       buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC);
> > +       buffer = kmemdup(line6_request_version,
> > +                       sizeof(line6_request_version), GFP_ATOMIC);
> > 
> >         if (buffer == NULL) {
> >         
> >                 dev_err(line6->ifcdev, "Out of memory");
> >                 return -ENOMEM;
> >         
> >         }
> > 
> > -       memcpy(buffer, line6_request_version,
> > sizeof(line6_request_version)); -
> > 
> >         retval = line6_send_raw_message_async(line6, buffer,
> >         
> >                                               sizeof(line6_request_version
> >                                               ));
> >         
> >         kfree(buffer);
> > 
> > --
> > 1.7.10.4
> 
> Your change is fine but I'm not sure whether we should allocate memory
> in the first place:
I can't remember the precise reason for this copy operation, it was related to 
which type of memory is allowed for a URB data block, and memory declared with 
"static const char[]" at global scope in the driver is not allowed. I just 
verified on my system (kernel 3.4.11) that requesting the device's firmware 
version doesn't work when passing the line6_request_version pointer directly 
(instead of its kmemdup copy), so I think the kmemdup is necessary here. It's 
a bit unsatisfactory to make a copy just because the original data is not 
accessible for whatever reason, but I don't know of a better solution. Maybe 
somebody else can clarify this or propose an alternative method?

	Kind regards,
		Markus


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation
  2012-12-04 21:22   ` Markus Grabner
@ 2012-12-04 21:29     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2012-12-04 21:29 UTC (permalink / raw)
  To: Markus Grabner
  Cc: line6linux-devel, devel, Stefan Hajnoczi, kernel-janitors,
	linux-kernel, Laurent Navet

On Tue, Dec 04, 2012 at 10:22:12PM +0100, Markus Grabner wrote:
> Am Montag, 3. Dezember 2012, 17:34:07 schrieb Stefan Hajnoczi:
> > On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> 
> wrote:
> > > staging: line6: driver.c
> > > 
> > >  The semantic patch that makes this output is available
> > >  in scripts/coccinelle/api/memdup.cocci.
> > > 
> > > Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
> > > ---
> > > 
> > >  drivers/staging/line6/driver.c |    5 ++---
> > >  1 file changed, 2 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/drivers/staging/line6/driver.c
> > > b/drivers/staging/line6/driver.c index f5c19b2..e1d6241 100644
> > > --- a/drivers/staging/line6/driver.c
> > > +++ b/drivers/staging/line6/driver.c
> > > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6
> > > *line6)> 
> > >         char *buffer;
> > >         int retval;
> > > 
> > > -       buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC);
> > > +       buffer = kmemdup(line6_request_version,
> > > +                       sizeof(line6_request_version), GFP_ATOMIC);
> > > 
> > >         if (buffer == NULL) {
> > >         
> > >                 dev_err(line6->ifcdev, "Out of memory");
> > >                 return -ENOMEM;
> > >         
> > >         }
> > > 
> > > -       memcpy(buffer, line6_request_version,
> > > sizeof(line6_request_version)); -
> > > 
> > >         retval = line6_send_raw_message_async(line6, buffer,
> > >         
> > >                                               sizeof(line6_request_version
> > >                                               ));
> > >         
> > >         kfree(buffer);
> > > 
> > > --
> > > 1.7.10.4
> > 
> > Your change is fine but I'm not sure whether we should allocate memory
> > in the first place:
> I can't remember the precise reason for this copy operation, it was related to 
> which type of memory is allowed for a URB data block, and memory declared with 
> "static const char[]" at global scope in the driver is not allowed. I just 
> verified on my system (kernel 3.4.11) that requesting the device's firmware 
> version doesn't work when passing the line6_request_version pointer directly 
> (instead of its kmemdup copy), so I think the kmemdup is necessary here. It's 
> a bit unsatisfactory to make a copy just because the original data is not 
> accessible for whatever reason, but I don't know of a better solution. Maybe 
> somebody else can clarify this or propose an alternative method?

Yes, all data sent to the USB bus must be dynamically created, so
kmemdup is correct to use here.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Line6linux-devel] [PATCH] line6: Use kmemdup rather than duplicating its implementation
  2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi
  2012-12-04 21:22   ` Markus Grabner
@ 2012-12-04 22:25   ` Dan Carpenter
  1 sibling, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2012-12-04 22:25 UTC (permalink / raw)
  To: Stefan Hajnoczi
  Cc: Laurent Navet, devel, Greg Kroah-Hartman, line6linux-devel,
	kernel-janitors, linux-kernel

On Mon, Dec 03, 2012 at 05:34:07PM +0100, Stefan Hajnoczi wrote:
> On Mon, Dec 3, 2012 at 2:20 PM, Laurent Navet <laurent.navet@gmail.com> wrote:
> > staging: line6: driver.c
> >  The semantic patch that makes this output is available
> >  in scripts/coccinelle/api/memdup.cocci.
> >
> > Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
> > ---
> >  drivers/staging/line6/driver.c |    5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c
> > index f5c19b2..e1d6241 100644
> > --- a/drivers/staging/line6/driver.c
> > +++ b/drivers/staging/line6/driver.c
> > @@ -331,14 +331,13 @@ int line6_version_request_async(struct usb_line6 *line6)
> >         char *buffer;
> >         int retval;
> >
> > -       buffer = kmalloc(sizeof(line6_request_version), GFP_ATOMIC);
> > +       buffer = kmemdup(line6_request_version,
> > +                       sizeof(line6_request_version), GFP_ATOMIC);
> >         if (buffer == NULL) {
> >                 dev_err(line6->ifcdev, "Out of memory");
> >                 return -ENOMEM;
> >         }
> >
> > -       memcpy(buffer, line6_request_version, sizeof(line6_request_version));
> > -
> >         retval = line6_send_raw_message_async(line6, buffer,
> >                                               sizeof(line6_request_version));
> >         kfree(buffer);
> > --
> > 1.7.10.4
> 
> Your change is fine but I'm not sure whether we should allocate memory
> in the first place:
> 
> line6_send_raw_message_async() returns before the transfer is
> complete.  It submits one or more URBs but I cannot see a guarantee
> that the buffer is no longer needed.  It seems unsafe to kfree(buffer)
> before the request is complete.
> 

As Greg pointed out we do need to allocate the memory to make DMA
work.  But you're right that it is a use after free bug.  We should
move the kfree(msg->buffer) to inside line6_async_request_sent().
I can send a fix for this tomorrow or if someone else wants to do it
while I'm sleeping that's fine too.  :)

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-12-04 22:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-12-03 13:20 [PATCH] line6: Use kmemdup rather than duplicating its implementation Laurent Navet
2012-12-03 16:34 ` [Line6linux-devel] " Stefan Hajnoczi
2012-12-04 21:22   ` Markus Grabner
2012-12-04 21:29     ` Greg Kroah-Hartman
2012-12-04 22:25   ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).