Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1308850pxb; Fri, 13 Nov 2020 09:17:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJxS1Z/fQjBxzuy4qjDAh1WWwnJ4eGYSMvz7PONET3JzC4iOqn1d4JOuxg1IPGknbglnJ+dB X-Received: by 2002:aa7:da13:: with SMTP id r19mr3659544eds.386.1605287864254; Fri, 13 Nov 2020 09:17:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605287864; cv=none; d=google.com; s=arc-20160816; b=GQNc3xJv9jmv3ugLnEjbg1HnoEHgWJ/bwi2mL66b9M7YgaOXUf0UYOJv0KGwpIuxZ4 SDtg4DKeXe2f3qqZlDO0/SHMYmGT1fHyBCtay60H7Lm8aQEQZMWp5AXmhjE6iV1iM1uT BHEmoVnQ1qlWIgYWU9uBRYo6JmAuWGMOLjlNMLmlpL//49nCgsY1tqHW9LeasUCBdfiL gK56/ln/ydLQIoEV0VYKhkZjqBRCNthOydi7UO/zbKZII+XDLoMg43vNS1+Af2SjAr95 PZ2eqtp1XzQ/CDvtsevE+9fLf9q9S7/7qnbOHoUAqVICd2Me6rvrjvITZyHWe8WR8288 ixdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=WEvraIZkF0cWOj/dfivLnLiDfbUaBgrjDgBa9dn7IYk=; b=Au4eNI7xjoSbrfe/M+a3vA1Nq4hAnmYR6jb3+pHVclbn0KEapW/m1avVYsF/9Dao1M gZNAmuiv2TnlFNYPho8Lb3uonzf0XoxO8IBLRXFIzrU6m0nSioBhXBIbplLHoEtZADUP vJwcHgMl+7lLxZpX3HBkxSvPprni67+j6HijnX8h6elASeFXppAOngyjO+yREQqj+iA0 6eEUtHF0Dcrkc1FfGkYrMrpwffgydrT+95ca7JjoQ6sTEQF2tKduqFWmjL2eE52Q+XW1 Jhz6i2Jw76u/v9qLtndvkF7Pgo4vYUbsjyZR2MltDI24fWk803ogruqPNpzlyYQ/PRfi bTWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=SfXCVk3j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y24si6029366ejw.503.2020.11.13.09.17.17; Fri, 13 Nov 2020 09:17:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=SfXCVk3j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726339AbgKMROg (ORCPT + 99 others); Fri, 13 Nov 2020 12:14:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726288AbgKMROe (ORCPT ); Fri, 13 Nov 2020 12:14:34 -0500 Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75B6EC0613D1 for ; Fri, 13 Nov 2020 09:14:48 -0800 (PST) Received: by mail-il1-x144.google.com with SMTP id t13so9128297ilp.2 for ; Fri, 13 Nov 2020 09:14:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WEvraIZkF0cWOj/dfivLnLiDfbUaBgrjDgBa9dn7IYk=; b=SfXCVk3jKMkxT+wb9NCADz20uvpExJKoj6ofbvkk/mytQFIHyIWzKOFS0lucSZm6CA 8rwqErJY0FqKiZpT3Wgg3zB5rc2Mm/0iw6MC3LdpfHHjj5uguVDFYkZKr2JlV6aF1LuY rZ3MXYq4+8Z6AnYlX1OAfwz0WXqatoOVSTaJU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WEvraIZkF0cWOj/dfivLnLiDfbUaBgrjDgBa9dn7IYk=; b=oGW0EPxMgMtWTFLxONLIWqZiKpLyfbU4ELvmskVZrvW+IXif/02b/QoDBG9u0c1tWI ON2RHNoB/H5YJ9b4aqYJyNh/dqjY0sVhYM2GeT08CzZygas4wbgRtjFi8gduRfg+YT63 4Bos3exEOgWBR3t6mEltR90EaC7tF6ka/gZiDoUlXb/8Kz86PM9fjOQTkfRoeeoBO6yP 7LsqDSE/LeWBOaQBU6EU9kIAOaur34t5BJ0rnaQSNlEGqkNnlZHoRjMSTL8VJ6Mo7eoZ jiQOJZAoEZDGRfM2CzGlVDDyO4tJx8q59WYxK30G9ff1dH8fsWlZXdHJ0q+pKieuBqZH TyOg== X-Gm-Message-State: AOAM533YoVgmAh15z02l8PmzRsNYUZQP1kVRIFDMh9+gpA2blaXZAX82 bNIsezeZWoUF36i9cDE+TgP73Q== X-Received: by 2002:a92:a008:: with SMTP id e8mr651660ili.83.1605287682461; Fri, 13 Nov 2020 09:14:42 -0800 (PST) Received: from [192.168.1.112] (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id k16sm4659185ioc.1.2020.11.13.09.14.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Nov 2020 09:14:41 -0800 (PST) Subject: Re: general protection fault in tomoyo_socket_sendmsg_permission To: Hillf Danton , syzbot Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Andrey Konovalov , Valentina Manea , Greg Kroah-Hartman , syzkaller-bugs@googlegroups.com, Shuah Khan References: <000000000000647eff05b3f7e0d4@google.com> <20201113120055.11748-1-hdanton@sina.com> From: Shuah Khan Message-ID: <5f71e0c1-d387-6d72-d8e4-edb11cf57f72@linuxfoundation.org> Date: Fri, 13 Nov 2020 10:14:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.2 MIME-Version: 1.0 In-Reply-To: <20201113120055.11748-1-hdanton@sina.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/13/20 5:00 AM, Hillf Danton wrote: > Thu, 12 Nov 2020 23:21:26 -0800 >> syzbot found the following issue on: >> >> HEAD commit: 9dbc1c03 Merge tag 'xfs-5.10-fixes-3' of git://git.kernel... >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=10453034500000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=1735b7978b1c3721 >> dashboard link: https://syzkaller.appspot.com/bug?extid=95ce4b142579611ef0a9 >> compiler: gcc (GCC) 10.1.0-syz 20200507 >> userspace arch: i386 >> >> Unfortunately, I don't have any reproducer for this issue yet. >> I would like to see the reproducer for this. I just can't reproduce this problem. > > Fix 96c2737716d5 ("usbip: move usbip kernel code out of staging") > by closing the race between readers and writer of ud->tcp_socket on > sock shutdown. To do that, add waitqueue for usbip device and make > writer wait for all readers to go home before releasing the socket. > > > --- a/drivers/usb/usbip/usbip_common.h > +++ b/drivers/usb/usbip/usbip_common.h > @@ -277,6 +277,9 @@ struct usbip_device { > void (*reset)(struct usbip_device *); > void (*unusable)(struct usbip_device *); > } eh_ops; > + > + atomic_t sk_shutdown_count; > + wait_queue_head_t sk_shutdown_waitq; > }; > > #define kthread_get_run(threadfn, data, namefmt, ...) \ > --- a/drivers/usb/usbip/vhci_hcd.c > +++ b/drivers/usb/usbip/vhci_hcd.c > @@ -1008,15 +1008,20 @@ static void vhci_shutdown_connection(str > > /* kill threads related to this sdev */ > if (vdev->ud.tcp_rx) { > + atomic_inc(&ud->sk_shutdown_count); > kthread_stop_put(vdev->ud.tcp_rx); > vdev->ud.tcp_rx = NULL; > } > if (vdev->ud.tcp_tx) { > + atomic_inc(&ud->sk_shutdown_count); > kthread_stop_put(vdev->ud.tcp_tx); > vdev->ud.tcp_tx = NULL; > } > pr_info("stop threads\n"); > > + wait_event(ud->sk_shutdown_waitq, > + !atomic_read(&ud->sk_shutdown_count)); > + > /* active connection is closed */ > if (vdev->ud.tcp_socket) { > sockfd_put(vdev->ud.tcp_socket); > @@ -1104,6 +1109,8 @@ static void vhci_device_init(struct vhci > vdev->ud.eh_ops.reset = vhci_device_reset; > vdev->ud.eh_ops.unusable = vhci_device_unusable; > > + init_waitqueue_head(&vdev->ud.sk_shutdown_waitq); > + > usbip_start_eh(&vdev->ud); > } > > --- a/drivers/usb/usbip/vhci_rx.c > +++ b/drivers/usb/usbip/vhci_rx.c > @@ -264,5 +264,8 @@ int vhci_rx_loop(void *data) > vhci_rx_pdu(ud); > } > > + if (atomic_dec_and_test(&ud->sk_shutdown_count)) > + wake_up(&ud->sk_shutdown_waitq); > + > return 0; > } > --- a/drivers/usb/usbip/vhci_tx.c > +++ b/drivers/usb/usbip/vhci_tx.c > @@ -252,5 +252,8 @@ int vhci_tx_loop(void *data) > usbip_dbg_vhci_tx("pending urbs ?, now wake up\n"); > } > > + if (atomic_dec_and_test(&ud->sk_shutdown_count)) > + wake_up(&ud->sk_shutdown_waitq); > + > return 0; > } > Without a reproducer, it is hard to verify the fix. thanks, -- Shuah