Hi,
In the raw1394 driver the failure handling for
a __copy_to_user call is missing.
With friendly regards,
Takis
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
Hi,
On Wed, 2005-03-02 at 12:10 +0100, Panagiotis Issaris wrote:
> In the raw1394 driver the failure handling for
> a __copy_to_user call is missing.
Your patch is obviously incorrect as it doesn't free the request before
it returns.
Best regards,
Anton
--
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/
On Wed, 02 Mar 2005 12:10:50 +0100 Panagiotis Issaris wrote:
> In the raw1394 driver the failure handling for
> a __copy_to_user call is missing.
>
> With friendly regards,
> Takis
>
> --
> K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
> http://people.mech.kuleuven.ac.be/~pissaris/
>
>
>
> [pi-20050302T114855-linux_2_6_11-raw1394_copy_to_user_failure_handling.diff text/x-patch (922 bytes)]
> diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
> --- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
> +++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 11:47:38.000000000 +0100
> @@ -443,7 +443,8 @@ static ssize_t raw1394_read(struct file
> req->req.error = RAW1394_ERROR_MEMFAULT;
> }
> }
> - __copy_to_user(buffer, &req->req, sizeof(req->req));
> + if (__copy_to_user(buffer, &req->req, sizeof(req->req)))
> + return -EFAULT;
Bug: "req" is not freed in the failure case.
>
> free_pending_request(req);
> return sizeof(struct raw1394_request);
>
Hi,
Anton Altaparmakov wrote:
>On Wed, 2005-03-02 at 12:10 +0100, Panagiotis Issaris wrote:
>
>
>>In the raw1394 driver the failure handling for
>>a __copy_to_user call is missing.
>>
>>
>
>Your patch is obviously incorrect as it doesn't free the request before
>it returns.
>
>
Oops. Thanks for replying! Any more problems with the updated
patch?
With friendly regards,
Takis
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
On Wed, 02 Mar 2005 13:28:23 +0100, Panagiotis Issaris
<[email protected]> wrote:
> Hi,
>
> Anton Altaparmakov wrote:
>
> >On Wed, 2005-03-02 at 12:10 +0100, Panagiotis Issaris wrote:
> >
> >
> >>In the raw1394 driver the failure handling for
> >>a __copy_to_user call is missing.
> >>
> >>
> >
> >Your patch is obviously incorrect as it doesn't free the request before
> >it returns.
> >
> >
> Oops. Thanks for replying! Any more problems with the updated
> patch?
>
Formatting... Opening curly brace should go on the same line with "if".
--
Dmitry
Hi,
Dmitry Torokhov wrote:
>On Wed, 02 Mar 2005 13:28:23 +0100, Panagiotis Issaris
><[email protected]> wrote:
>
>
>>Oops. Thanks for replying! Any more problems with the updated
>>patch?
>>
>>
>Formatting... Opening curly brace should go on the same line with "if".
>
>
Thanks. Here's my third try :-)
With friendly regards,
Takis
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
> Thanks. Here's my third try :-)
>
> With friendly regards,
> Takis
I'll apply this to the 1394 tree and send it to Linus after testing if
you add a Signed-off-by: line per Documentation/SubmittingPatches .
Also, please cc [email protected] with ieee1394
changes.
Thanks,
Jody
>
> --
> K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
> http://people.mech.kuleuven.ac.be/~pissaris/
>
> diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
> --- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
> +++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 15:27:15.000000000 +0100
> @@ -443,7 +443,10 @@ static ssize_t raw1394_read(struct file
> req->req.error = RAW1394_ERROR_MEMFAULT;
> }
> }
> - __copy_to_user(buffer, &req->req, sizeof(req->req));
> + if (__copy_to_user(buffer, &req->req, sizeof(req->req))) {
> + free_pending_request(req);
> + return -EFAULT;
> + }
>
> free_pending_request(req);
> return sizeof(struct raw1394_request);
--
Hi,
Jody McIntyre wrote:
>I'll apply this to the 1394 tree and send it to Linus after testing if
>you add a Signed-off-by: line per Documentation/SubmittingPatches .
>Also, please cc [email protected] with ieee1394
>changes.
>
Sure! Thanks!
Adds the missing failure handling for a __copy_to_user call.
Signed-off-by: Panagiotis Issaris <[email protected]>
diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
--- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
+++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 15:27:15.000000000 +0100
@@ -443,7 +443,10 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if (__copy_to_user(buffer, &req->req, sizeof(req->req))) {
+ free_pending_request(req);
+ return -EFAULT;
+ }
free_pending_request(req);
return sizeof(struct raw1394_request);
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
Hi Jody,
My previous e-mail seemed to be messed up by Thunderbird... so now I'm using good
old Mutt again.
On Thu, Mar 03, 2005 at 04:48:43PM -0500 or thereabouts, Jody McIntyre wrote:
> > Thanks. Here's my third try :-)
> >
> > With friendly regards,
> > Takis
>
> I'll apply this to the 1394 tree and send it to Linus after testing if
> you add a Signed-off-by: line per Documentation/SubmittingPatches .
> Also, please cc [email protected] with ieee1394
> changes.
Sure! Thanks!
Adds the missing failure handling for a __copy_to_user call.
Signed-off-by: Panagiotis Issaris <[email protected]>
diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
--- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
+++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 15:27:15.000000000 +0100
@@ -443,7 +443,10 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if (__copy_to_user(buffer, &req->req, sizeof(req->req))) {
+ free_pending_request(req);
+ return -EFAULT;
+ }
free_pending_request(req);
return sizeof(struct raw1394_request);
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
On Thu, Mar 03, 2005 at 11:55:09PM +0100, Panagiotis Issaris wrote:
> Adds the missing failure handling for a __copy_to_user call.
>
>
> Signed-off-by: Panagiotis Issaris <[email protected]>
Sorry I didn't notice this sooner, but this was already fixed and has
been sent to Linus (hopefully to appear in 2.6.12.)
Jody
>
> diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
> --- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
> +++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 15:27:15.000000000 +0100
> @@ -443,7 +443,10 @@ static ssize_t raw1394_read(struct file
> req->req.error = RAW1394_ERROR_MEMFAULT;
> }
> }
> - __copy_to_user(buffer, &req->req, sizeof(req->req));
> + if (__copy_to_user(buffer, &req->req, sizeof(req->req))) {
> + free_pending_request(req);
> + return -EFAULT;
> + }
>
> free_pending_request(req);
> return sizeof(struct raw1394_request);
>
>
> --
> K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
> http://people.mech.kuleuven.ac.be/~pissaris/
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
On Saturday 05 March 2005 13:47, Jody McIntyre wrote:
>On Thu, Mar 03, 2005 at 11:55:09PM +0100, Panagiotis Issaris wrote:
>> Adds the missing failure handling for a __copy_to_user call.
>>
>>
>> Signed-off-by: Panagiotis Issaris <[email protected]>
>
>Sorry I didn't notice this sooner, but this was already fixed and
> has been sent to Linus (hopefully to appear in 2.6.12.)
>
>Jody
Jody, Panagiotis; A much more complete patch is already sitting in
the bk queue. This is a relatively small piece of that one. You can
get it from:
<ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11/2.6.11-mm1/broken-out>
As the bk-ieee1394.patch you can see there.
>> diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c
>> linux-2.6.11-pi/drivers/ieee1394/raw1394.c ---
>> linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02
>> 11:44:26.000000000 +0100 +++
>> linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02
>> 15:27:15.000000000 +0100 @@ -443,7 +443,10 @@ static ssize_t
>> raw1394_read(struct file req->req.error = RAW1394_ERROR_MEMFAULT;
>> }
>> }
>> - __copy_to_user(buffer, &req->req, sizeof(req->req));
>> + if (__copy_to_user(buffer, &req->req, sizeof(req->req)))
>> { + free_pending_request(req);
>> + return -EFAULT;
>> + }
>>
>> free_pending_request(req);
>> return sizeof(struct raw1394_request);
>>
>>
>> --
>> K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research
>> Group http://people.mech.kuleuven.ac.be/~pissaris/
>>
>> -
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-kernel" in the body of a message to
>> [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attorneys please note, additions to this message
by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.