diff for duplicates of <20220220075826-mutt-send-email-mst@kernel.org> diff --git a/a/1.txt b/N1/1.txt index 8434a17..e2c4abb 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -93,41 +93,73 @@ On Sun, Feb 20, 2022 at 01:31:02PM +0100, Dmitry Vyukov wrote: > dashboard that mention "vhost" but none of the are use-after-frees. > -Hmm okay. -Well we also have the (non reproducible) - WARN_ON(!llist_empty(&dev->work_list)); - -trigger. - - -So I think what happens is that there's some worker still running -when we call vhost_vq_reset. - -Here's what is supposed to stop it: - - vhost_vsock_stop(vsock); - vhost_vsock_flush(vsock); - vhost_dev_stop(&vsock->dev); - -after this point, there should be no new work. - -However I wonder why do we flush before we stop everything. -Maybe this is what it's about. +Okay, for starters let's try to make sure whether what we are seeing is +actually accessing a vsock that is being released. #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ f71077a4d84b + diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c -index d6ca1c7ad513..b31c3a78dbff 100644 +index d6ca1c7ad513..2dbc64f072e8 100644 --- a/drivers/vhost/vsock.c +++ b/drivers/vhost/vsock.c -@@ -754,8 +754,8 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file) +@@ -58,6 +58,7 @@ struct vhost_vsock { + + u32 guest_cid; + bool seqpacket_allow; ++ bool dead; + }; + + static u32 vhost_transport_get_local_cid(void) +@@ -106,6 +107,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + + /* Avoid further vmexits, we're already processing the virtqueue */ + vhost_disable_notify(&vsock->dev, vq); ++ WARN_ON(vsock->dead); + + do { + struct virtio_vsock_pkt *pkt; +@@ -128,6 +130,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock, + list_del_init(&pkt->list); + spin_unlock_bh(&vsock->send_pkt_list_lock); + ++ WARN_ON(vsock->dead); + head = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov), + &out, &in, NULL, NULL); + if (head < 0) { +@@ -510,6 +513,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work) + goto out; + + vhost_disable_notify(&vsock->dev, vq); ++ WARN_ON(vsock->dead); + do { + if (!vhost_vsock_more_replies(vsock)) { + /* Stop tx until the device processes already +@@ -519,6 +523,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work) + goto no_more_replies; + } + ++ WARN_ON(vsock->dead); + head = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov), + &out, &in, NULL, NULL); + if (head < 0) +@@ -678,6 +683,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file) + } + + vsock->guest_cid = 0; /* no CID assigned yet */ ++ vsock->dead = false; + + atomic_set(&vsock->queued_replies, 0); + +@@ -754,8 +760,9 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file) vsock_for_each_connected_socket(vhost_vsock_reset_orphans); vhost_vsock_stop(vsock); - vhost_vsock_flush(vsock); vhost_dev_stop(&vsock->dev); + vhost_vsock_flush(vsock); ++ vsock->dead = true; spin_lock_bh(&vsock->send_pkt_list_lock); while (!list_empty(&vsock->send_pkt_list)) { diff --git a/a/content_digest b/N1/content_digest index c068ed1..0a3843d 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -5,7 +5,7 @@ "ref\0CACT4Y+Y_d2T4-TR2g_EPkaudWGxeEM8rrpQSkBANzCbme10ZtA@mail.gmail.com\0" "From\0Michael S. Tsirkin <mst@redhat.com>\0" "Subject\0Re: [syzbot] kernel BUG in vhost_get_vq_desc\0" - "Date\0Sun, 20 Feb 2022 08:10:06 -0500\0" + "Date\0Sun, 20 Feb 2022 08:29:17 -0500\0" "To\0Dmitry Vyukov <dvyukov@google.com>\0" "Cc\0Hillf Danton <hdanton@sina.com>" syzbot <syzbot+3140b17cb44a7b174008@syzkaller.appspotmail.com> @@ -109,43 +109,75 @@ "> dashboard that mention \"vhost\" but none of the are use-after-frees.\n" "> \n" "\n" - "Hmm okay.\n" - "Well we also have the (non reproducible)\n" - " WARN_ON(!llist_empty(&dev->work_list));\n" - "\n" - "trigger.\n" - "\n" - "\n" - "So I think what happens is that there's some worker still running\n" - "when we call vhost_vq_reset.\n" - "\n" - "Here's what is supposed to stop it:\n" - "\n" - " vhost_vsock_stop(vsock);\n" - " vhost_vsock_flush(vsock);\n" - " vhost_dev_stop(&vsock->dev);\n" - "\n" - "after this point, there should be no new work.\n" - " \n" - "However I wonder why do we flush before we stop everything.\n" - "Maybe this is what it's about.\n" + "Okay, for starters let's try to make sure whether what we are seeing is\n" + "actually accessing a vsock that is being released.\n" "\n" "\n" "#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ f71077a4d84b \n" "\n" + "\n" "diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c\n" - "index d6ca1c7ad513..b31c3a78dbff 100644\n" + "index d6ca1c7ad513..2dbc64f072e8 100644\n" "--- a/drivers/vhost/vsock.c\n" "+++ b/drivers/vhost/vsock.c\n" - "@@ -754,8 +754,8 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)\n" + "@@ -58,6 +58,7 @@ struct vhost_vsock {\n" + " \n" + " \tu32 guest_cid;\n" + " \tbool seqpacket_allow;\n" + "+\tbool dead;\n" + " };\n" + " \n" + " static u32 vhost_transport_get_local_cid(void)\n" + "@@ -106,6 +107,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock,\n" + " \n" + " \t/* Avoid further vmexits, we're already processing the virtqueue */\n" + " \tvhost_disable_notify(&vsock->dev, vq);\n" + "+\tWARN_ON(vsock->dead);\n" + " \n" + " \tdo {\n" + " \t\tstruct virtio_vsock_pkt *pkt;\n" + "@@ -128,6 +130,7 @@ vhost_transport_do_send_pkt(struct vhost_vsock *vsock,\n" + " \t\tlist_del_init(&pkt->list);\n" + " \t\tspin_unlock_bh(&vsock->send_pkt_list_lock);\n" + " \n" + "+\t\tWARN_ON(vsock->dead);\n" + " \t\thead = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),\n" + " \t\t\t\t\t &out, &in, NULL, NULL);\n" + " \t\tif (head < 0) {\n" + "@@ -510,6 +513,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work)\n" + " \t\tgoto out;\n" + " \n" + " \tvhost_disable_notify(&vsock->dev, vq);\n" + "+\tWARN_ON(vsock->dead);\n" + " \tdo {\n" + " \t\tif (!vhost_vsock_more_replies(vsock)) {\n" + " \t\t\t/* Stop tx until the device processes already\n" + "@@ -519,6 +523,7 @@ static void vhost_vsock_handle_tx_kick(struct vhost_work *work)\n" + " \t\t\tgoto no_more_replies;\n" + " \t\t}\n" + " \n" + "+\t\tWARN_ON(vsock->dead);\n" + " \t\thead = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov),\n" + " \t\t\t\t\t &out, &in, NULL, NULL);\n" + " \t\tif (head < 0)\n" + "@@ -678,6 +683,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)\n" + " \t}\n" + " \n" + " \tvsock->guest_cid = 0; /* no CID assigned yet */\n" + "+\tvsock->dead = false;\n" + " \n" + " \tatomic_set(&vsock->queued_replies, 0);\n" + " \n" + "@@ -754,8 +760,9 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)\n" " \tvsock_for_each_connected_socket(vhost_vsock_reset_orphans);\n" " \n" " \tvhost_vsock_stop(vsock);\n" "-\tvhost_vsock_flush(vsock);\n" " \tvhost_dev_stop(&vsock->dev);\n" "+\tvhost_vsock_flush(vsock);\n" + "+\tvsock->dead = true;\n" " \n" " \tspin_lock_bh(&vsock->send_pkt_list_lock);\n" " \twhile (!list_empty(&vsock->send_pkt_list)) {" -db8a69c2326888cd6c065b5551d12d78f52be6a98e5611a687747844d3639641 +cf01567c6e5eb0595c033d953f0ae60e545644091bdf2086c97886e07ea68704
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.