On Sat, Feb 13, 2021 at 07:02:22PM +0900, Tetsuo Handa wrote: > Greg, will you queue > https://lkml.kernel.org/r/20210205135707.4574-1-penguin-ker...@i-love.sakura.ne.jp > (which can > close a report which is wasting syzbot's resource with 5300+ crashes) for > 5.12 ? The change shown below will be > too large to test before merge window for 5.12 opens. > > The patch for fixing "general protection fault in > tomoyo_socket_sendmsg_permission" will kill kthread_get_run(). > Closing frequently crashing bug now is the better. > > On 2021/02/11 22:40, Tetsuo Handa wrote: > > I guess that we need to serialize attach operation and reset/detach > > operations, for > > it seems there is a race window that might result in "general protection > > fault in > > tomoyo_socket_sendmsg_permission". Details follows... > > Here is untested diff that is expected to be complete. > > (1) Handle kthread_create() failure (which avoids "KASAN: null-ptr-deref > Write in vhci_shutdown_connection") > by grouping socket lookup, SOCK_STREAM check and kthread_get_run() into > usbip_prepare_threads() function. > > (2) Serialize usbip_sockfd_store(), detach_store(), attach_store(), > usbip_sockfd_store() and > ud->eh_ops.shutdown()/ud->eh_ops.reset()/ud->eh_ops.unusable() operations > using usbip_store_mutex mutex > (which avoids "general protection fault in > tomoyo_socket_sendmsg_permission"). > > (3) Don't reset ud->tcp_socket to NULL in vhci_device_reset(). Since > tx_thread/rx_thread depends on > ud->tcp_socket != NULL whereas tcp_socket and tx_thread/rx_thread are > assigned at the same time, > it is never safe to reset only ud->tcp_socket from ud->eh_ops.reset(). > And actually nobody is > calling ud->eh_ops.reset() without ud->eh_ops.shutdown(). > > (4) usbip_sockfd_store() must perform {sdev,udc}->ud.status != > SDEV_ST_AVAILABLE && {sdev,udc}->ud.status = SDEV_ST_USED > exclusively, or multiple tx_thread/rx_thread can be created when > concurrently called. Although (2) will already > serialize this action, (1) will make it possible to perform within one > spinlock section.
Shouldn't this be 4 different patches? thanks, greg k-h
