[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8dc1e893-4338-90ff-ea61-de727cad1d11@i-love.sakura.ne.jp>
Date: Thu, 11 Mar 2021 22:24:43 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Shuah Khan <skhan@...uxfoundation.org>, shuah@...nel.org,
valentina.manea.m@...il.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/6] usbip fixes to crashes found by syzbot
On 2021/03/11 21:57, Greg KH wrote:
> On Thu, Mar 11, 2021 at 09:34:38PM +0900, Tetsuo Handa wrote:
>> On 2021/03/11 3:33, Greg KH wrote:
>>> On Sun, Mar 07, 2021 at 08:53:25PM -0700, Shuah Khan wrote:
>>>> This patch series fixes the following problems founds in syzbot
>>>> fuzzing.
>>>
>>> Thanks for these, all now queued up.
>>
>> I send SIGSTOP to
>>
>> [PATCH 4/6] usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
>> [PATCH 5/6] usbip: fix vhci_hcd attach_store() races leading to gpf
>> [PATCH 6/6] usbip: fix vudc usbip_sockfd_store races leading to gpf
>>
>> because these patches merely converted NULL pointer dererefence bug to use-after-free bug
>> by breaking kthread_get_run() into kthread_create()/get_task_struct()/wake_up_process().
>
> I'll take follow-on patches to fix that other issue, if it's proven to
> be valid. It's nice to fix up NULL dereference issues as soon as
> possible :)
Not an "other issue". Shuah's [PATCH 4,5,6/6] is failing to fix NULL pointer dereference issue.
These patches simply replaces NULL pointer dereference issue (caused by preemption) with
use after free issue (caused by exactly same preemption) issue. Shuah has to understand
the consequence of calling wake_up_process() on rx thread in order to fix this NULL pointer
dereference issue.
The only fix we can safely apply now is
https://lkml.kernel.org/r/20210205135707.4574-1-penguin-kernel@I-love.SAKURA.ne.jp .
Since I and Shuah agreed that we will remove kthread_get_run(), it is nice to fix up
frequently happening -EINTR pointer dereference issue as soon as possible.
Powered by blists - more mailing lists