All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Valentina Manea <valentina.manea.m@gmail.com>,
	Shuah Khan <shuah@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	linux-usb@vger.kernel.org,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: [PATCH v4 06/12] usb: usbip: fix error handling of kthread_get_run()
Date: Fri,  5 Mar 2021 00:24:49 +0900	[thread overview]
Message-ID: <20210304152455.3685-7-penguin-kernel@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <20210304152455.3685-1-penguin-kernel@I-love.SAKURA.ne.jp>

syzbot is reporting an ERR_PTR(-EINTR) pointer dereference at
vhci_shutdown_connection() [1], for kthread_create() became killable due
to commit 786235eeba0e1e85 ("kthread: make kthread_create() killable").

When SIGKILLed while attach_store() is calling kthread_get_run(),
ERR_PTR(-EINTR) is stored into vdev->ud.tcp_{rx,tx}, and then
kthread_stop_put() is called on vdev->ud.tcp_{rx,tx} from
vhci_shutdown_connection() because vdev->ud.tcp_{rx,tx} != NULL.

Prior to commit 9720b4bc76a83807 ("staging/usbip: convert to kthread"),
"current" pointer is assigned to vdev->ud.tcp_{rx,tx} by usbip_thread()
kernel thread, and hence vdev->ud.tcp_{rx,tx} != NULL means a valid task
pointer.

Therefore, make kthread_get_run() return NULL when kthread_create()
failed. This patch only fixes error pointer dereference problem, for
the code prior to that commit was already providing manual recovery
interface.

[1] https://syzkaller.appspot.com/bug?extid=a93fba6d384346a761e3

Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/usb/usbip/usbip_common.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index f8e16c75b154..6e2a80b1633d 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -291,6 +291,8 @@ struct usbip_device {
 	if (!IS_ERR(__k)) {						   \
 		get_task_struct(__k);					   \
 		wake_up_process(__k);					   \
+	} else {							   \
+		__k = NULL;						   \
 	}								   \
 	__k;								   \
 })
-- 
2.18.4


  parent reply	other threads:[~2021-03-04 15:27 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-13  7:21 general protection fault in tomoyo_socket_sendmsg_permission syzbot
2020-11-13 10:49 ` Tetsuo Handa
     [not found] ` <20201113120055.11748-1-hdanton@sina.com>
2020-11-13 17:14   ` Shuah Khan
2021-01-28  6:09     ` Tetsuo Handa
     [not found]       ` <2b70d360-a293-4acb-ea6c-2badda5e8b8b@linuxfoundation.org>
2021-01-29  5:48         ` Tetsuo Handa
     [not found]           ` <6b8da36f-a994-7604-77f4-52e29434605f@linuxfoundation.org>
2021-01-29 17:08             ` Tetsuo Handa
2021-01-29 21:18               ` Shuah Khan
2021-01-30  2:25                 ` Tetsuo Handa
2021-02-10 18:17                   ` Shuah Khan
2021-02-10 19:07                     ` Tetsuo Handa
2021-02-10 19:29                       ` Shuah Khan
2021-02-11  1:14                         ` Tetsuo Handa
2021-02-12  1:34                           ` Shuah Khan
2021-02-12  2:22                             ` Tetsuo Handa
2021-02-12  4:58                               ` Tetsuo Handa
2021-02-12 20:02                                 ` Shuah Khan
2021-02-13 10:02                                   ` Tetsuo Handa
2021-02-13 10:10                                     ` Greg Kroah-Hartman
2021-02-13 10:10                                     ` Greg Kroah-Hartman
2021-02-19  0:33 ` [PATCH] usb: usbip: serialize attach/detach operations Tetsuo Handa
2021-02-19  9:47   ` [PATCH (repost)] " Tetsuo Handa
2021-02-19 15:08     ` [PATCH v2] " Tetsuo Handa
2021-02-19 15:53       ` Greg Kroah-Hartman
2021-02-19 16:00         ` Shuah Khan
2021-02-20  1:10           ` Tetsuo Handa
2021-02-20  6:58             ` Greg Kroah-Hartman
2021-02-20  9:51               ` Tetsuo Handa
2021-02-22 15:34                 ` Shuah Khan
2021-02-23  1:51                   ` Tetsuo Handa
2021-02-23  1:59               ` [PATCH v3] " Tetsuo Handa
2021-02-26  0:00                 ` Shuah Khan
2021-02-26  0:10                   ` Tetsuo Handa
2021-02-26 15:04                     ` Shuah Khan
2021-03-04 15:24                       ` [PATCH v4 00/12] " Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 01/12] usb: usbip: introduce usbip_event_mutex for serialization Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 02/12] usb: usbip: vhci: serialize attach_store()/detach_store() against event_handler() Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 03/12] usb: usbip: vudc: serialize usbip_sockfd_store() " Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 04/12] usb: usbip: stub: " Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 05/12] usb: usbip: don't reset tcp_socket at vhci_device_reset() Tetsuo Handa
2021-03-04 15:24                         ` Tetsuo Handa [this message]
2021-03-04 15:24                         ` [PATCH v4 07/12] usb: usbip: preallocate kernel threads for consistent attach operation Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 08/12] usb: usbip: check that stream socket is used Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 09/12] usb: usbip: vhci: add automatic recovery to attach_store() Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 10/12] usb: usbip: vudc: add automatic recovery to usbip_sockfd_store() Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 11/12] usb: usbip: stub: " Tetsuo Handa
2021-03-04 15:24                         ` [PATCH v4 12/12] usb: usbip: remove unused kthread_get_run() Tetsuo Handa
2021-03-04 15:52                         ` [PATCH v4 00/12] usb: usbip: serialize attach/detach operations Shuah Khan
2021-03-05 10:06                           ` Tetsuo Handa
2021-03-05 14:44                             ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210304152455.3685-7-penguin-kernel@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=arnd@arndb.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=shuah@kernel.org \
    --cc=valentina.manea.m@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.