From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Valentina Manea <valentina.manea.m@gmail.com>,
Shuah Khan <shuah@kernel.org>
Cc: Shuah Khan <skhan@linuxfoundation.org>,
Hillf Danton <hdanton@sina.com>,
linux-usb@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Arnd Bergmann <arnd@arndb.de>
Subject: [PATCH] usb: usbip: fix error handling of kthread_get_run()
Date: Fri, 5 Feb 2021 22:57:06 +0900 [thread overview]
Message-ID: <20210205135707.4574-1-penguin-kernel@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <000000000000414db905b6e9bae8@google.com>
syzbot is reporting a crash at vhci_shutdown_connection() [1]. It turned
out that it was not a NULL pointer dereference but an ERR_PTR(-EINTR)
pointer dereference, for kthread_create() became killable due to
commit 786235eeba0e1e85 ("kthread: make kthread_create() killable").
When SIGKILLed while attach_store() is calling kthread_get_run(),
ERR_PTR(-EINTR) is stored into vdev->ud.tcp_{rx,tx}, and then
kthread_stop_put() is called on vdev->ud.tcp_{rx,tx} from
vhci_shutdown_connection() because vdev->ud.tcp_{rx,tx} != NULL.
Prior to commit 9720b4bc76a83807 ("staging/usbip: convert to kthread"),
"current" pointer is assigned to vdev->ud.tcp_{rx,tx} by usbip_thread()
kernel thread, and hence vdev->ud.tcp_{rx,tx} != NULL meant a valid task
pointer. Therefore, we should make kthread_get_run() return NULL when
kthread_create() failed.
[1] https://syzkaller.appspot.com/bug?id=c21c07f3d51769405e8efc027bdb927515dcc7d6
Reported-by: syzbot <syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 9720b4bc76a83807 ("staging/usbip: convert to kthread")
Cc: Arnd Bergmann <arnd@arndb.de>
---
drivers/usb/usbip/usbip_common.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index 8be857a4fa13..a7c68097aa1d 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -286,6 +286,8 @@ struct usbip_device {
if (!IS_ERR(__k)) { \
get_task_struct(__k); \
wake_up_process(__k); \
+ } else { \
+ __k = NULL; \
} \
__k; \
})
--
2.18.4
next prev parent reply other threads:[~2021-02-05 14:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-20 18:44 KASAN: null-ptr-deref Write in vhci_shutdown_connection syzbot
2021-02-05 13:57 ` Tetsuo Handa [this message]
2021-02-05 16:27 ` [PATCH] usb: usbip: fix error handling of kthread_get_run() Shuah Khan
2021-02-06 1:08 ` Tetsuo Handa
2021-02-10 18:11 ` Shuah Khan
2021-02-10 18:16 ` Tetsuo Handa
2021-02-10 18:20 ` Shuah Khan
2021-02-10 18:43 ` Tetsuo Handa
2021-02-10 20:15 ` Shuah Khan
2021-02-11 1:04 ` Tetsuo Handa
2021-02-11 3:01 ` Tetsuo Handa
2021-02-11 13:40 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210205135707.4574-1-penguin-kernel@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=hdanton@sina.com \
--cc=linux-usb@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=valentina.manea.m@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).