Re: [PATCH 0/6] usbip fixes to crashes found by syzbot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2021/03/11 21:57, Greg KH wrote:
> On Thu, Mar 11, 2021 at 09:34:38PM +0900, Tetsuo Handa wrote:
>> On 2021/03/11 3:33, Greg KH wrote:
>>> On Sun, Mar 07, 2021 at 08:53:25PM -0700, Shuah Khan wrote:
>>>> This patch series fixes the following problems founds in syzbot
>>>> fuzzing.
>>>
>>> Thanks for these, all now queued up.
>>
>> I send SIGSTOP to
>>
>>   [PATCH 4/6] usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
>>   [PATCH 5/6] usbip: fix vhci_hcd attach_store() races leading to gpf
>>   [PATCH 6/6] usbip: fix vudc usbip_sockfd_store races leading to gpf
>>
>> because these patches merely converted NULL pointer dererefence bug to use-after-free bug
>> by breaking kthread_get_run() into kthread_create()/get_task_struct()/wake_up_process().
> 
> I'll take follow-on patches to fix that other issue, if it's proven to
> be valid.  It's nice to fix up NULL dereference issues as soon as
> possible :)

Not an "other issue". Shuah's [PATCH 4,5,6/6] is failing to fix NULL pointer dereference issue.
These patches simply replaces NULL pointer dereference issue (caused by preemption) with
use after free issue (caused by exactly same preemption) issue. Shuah has to understand
the consequence of calling wake_up_process() on rx thread in order to fix this NULL pointer
dereference issue.

The only fix we can safely apply now is
https://lkml.kernel.org/r/20210205135707.4574-1-penguin-kernel@xxxxxxxxxxxxxxxxxxx .
Since I and Shuah agreed that we will remove kthread_get_run(), it is nice to fix up
frequently happening -EINTR pointer dereference issue as soon as possible.




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux