From: Shuah Khan <skhan@linuxfoundation.org>
To: shuah@kernel.org, valentina.manea.m@gmail.com,
gregkh@linuxfoundation.org
Cc: Shuah Khan <skhan@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
penguin-kernel@I-love.SAKURA.ne.jp
Subject: [PATCH 0/6] usbip fixes to crashes found by syzbot
Date: Sun, 7 Mar 2021 20:53:25 -0700 [thread overview]
Message-ID: <cover.1615171203.git.skhan@linuxfoundation.org> (raw)
This patch series fixes the following problems founds in syzbot
fuzzing.
1. The first 3 patches fix usbip-host, vhci_hcd, vudc sub-drivers to
validate the passed in file descriptor is a stream socket. If the
file descriptor passed was a SOCK_DGRAM socket, sock_recvmsg()
can't detect end of stream. Reported and fix suggested by Tetsuo Handa
2. All 3 sub-drivers use a common kthread_get_run() to create and
start threads. There are races in updating the local and shared status
in the current stub-up (usbip-host, vudc) and attach (vhci) sequences
resulting in crashes. These stem from starting rx and tx threads before
local and shared state is updated correctly to be in sync.
1. Doesn't handle kthread_create() error and saves invalid ptr in local
state that drives rx and tx threads. Reported and fix suggested by
Tetsuo Handa.
2. Updates tcp_socket and sockfd, starts stub_rx and stub_tx threads
before updating usbip_device status to correct state. This opens up
a race condition between the threads and tear down sequences.
TODO: Once these fixes are in, kthread_get_run() macro can be removed
in a cleanup patch.
Credit goes to syzbot and Tetsuo Handa for finding and root-causing the
kthread_get_run() improper error handling problem and others. This is a
hard problem to find and debug since the races aren't seen in a normal
case. Fuzzing forces the race window to be small enough for the
kthread_get_run() error path bug and starting threads before updating the
local and shared state bug in the stub-up sequence.
Shuah Khan (6):
usbip: fix stub_dev to check for stream socket
usbip: fix vhci_hcd to check for stream socket
usbip: fix vudc to check for stream socket
usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
usbip: fix vhci_hcd attach_store() races leading to gpf
usbip: fix vudc usbip_sockfd_store races leading to gpf
drivers/usb/usbip/stub_dev.c | 42 ++++++++++++++++++++++++-----
drivers/usb/usbip/vhci_sysfs.c | 39 +++++++++++++++++++++++----
drivers/usb/usbip/vudc_sysfs.c | 49 +++++++++++++++++++++++++++++-----
3 files changed, 111 insertions(+), 19 deletions(-)
--
2.27.0
next reply other threads:[~2021-03-08 3:54 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 3:53 Shuah Khan [this message]
2021-03-08 3:53 ` [PATCH 1/6] usbip: fix stub_dev to check for stream socket Shuah Khan
2021-03-08 3:53 ` [PATCH 2/6] usbip: fix vhci_hcd " Shuah Khan
2021-03-08 3:53 ` [PATCH 3/6] usbip: fix vudc " Shuah Khan
2021-03-08 3:53 ` [PATCH 4/6] usbip: fix stub_dev usbip_sockfd_store() races leading to gpf Shuah Khan
2021-03-08 7:35 ` Tetsuo Handa
2021-03-08 10:10 ` Tetsuo Handa
2021-03-08 16:27 ` Shuah Khan
2021-03-09 11:04 ` Tetsuo Handa
2021-03-09 13:56 ` Tetsuo Handa
2021-03-09 19:50 ` Shuah Khan
2021-03-09 23:40 ` Tetsuo Handa
2021-03-09 23:52 ` Shuah Khan
2021-03-10 0:03 ` Tetsuo Handa
2021-03-10 0:29 ` Shuah Khan
2021-03-10 1:02 ` Tetsuo Handa
2021-03-10 2:07 ` Shuah Khan
2021-03-10 10:38 ` Tetsuo Handa
2021-03-09 15:22 ` Shuah Khan
2021-03-08 3:53 ` [PATCH 5/6] usbip: fix vhci_hcd attach_store() " Shuah Khan
2021-03-08 3:53 ` [PATCH 6/6] usbip: fix vudc usbip_sockfd_store " Shuah Khan
2021-03-10 18:33 ` [PATCH 0/6] usbip fixes to crashes found by syzbot Greg KH
2021-03-11 12:34 ` Tetsuo Handa
2021-03-11 12:57 ` Greg KH
2021-03-11 13:24 ` Tetsuo Handa
2021-03-12 5:44 ` Tetsuo Handa
2021-03-13 0:48 ` Tetsuo Handa
2021-03-14 11:38 ` Tetsuo Handa
2021-03-17 6:21 ` Tetsuo Handa
2021-03-17 15:06 ` Shuah Khan
2021-03-17 15:38 ` Tetsuo Handa
2021-03-17 17:09 ` Shuah Khan
2021-03-18 13:13 ` Shuah Khan
2021-03-18 13:39 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1615171203.git.skhan@linuxfoundation.org \
--to=skhan@linuxfoundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=shuah@kernel.org \
--cc=valentina.manea.m@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.