From: "Michael S. Tsirkin" <mst@redhat.com>
To: Mike Christie <michael.christie@oracle.com>
Cc: Hillf Danton <hdanton@sina.com>,
Edward Adam Davis <eadavis@qq.com>,
syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com,
jasowang@redhat.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com, virtualization@lists.linux.dev
Subject: Re: [PATCH next] vhost_task: after freeing vhost_task it should not be accessed in vhost_task_fn
Date: Wed, 1 May 2024 12:15:03 -0400 [thread overview]
Message-ID: <20240501121411-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <6971427a-d3ab-41c8-b34b-be84a594e40b@oracle.com>
On Wed, May 01, 2024 at 10:57:38AM -0500, Mike Christie wrote:
> On 5/1/24 2:50 AM, Hillf Danton wrote:
> > On Wed, 1 May 2024 02:01:20 -0400 Michael S. Tsirkin <mst@redhat.com>
> >>
> >> and then it failed testing.
> >>
> > So did my patch [1] but then the reason was spotted [2,3]
> >
> > [1] https://lore.kernel.org/lkml/20240430110209.4310-1-hdanton@sina.com/
> > [2] https://lore.kernel.org/lkml/20240430225005.4368-1-hdanton@sina.com/
> > [3] https://lore.kernel.org/lkml/000000000000a7f8470617589ff2@google.com/
>
> Just to make sure I understand the conclusion.
>
> Edward's patch that just swaps the order of the calls:
>
> https://lore.kernel.org/lkml/tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com/
>
> fixes the UAF. I tested the same in my setup. However, when you guys tested it
> with sysbot, it also triggered a softirq/RCU warning.
>
> The softirq/RCU part of the issue is fixed with this commit:
>
> https://lore.kernel.org/all/20240427102808.29356-1-qiang.zhang1211@gmail.com/
>
> commit 1dd1eff161bd55968d3d46bc36def62d71fb4785
> Author: Zqiang <qiang.zhang1211@gmail.com>
> Date: Sat Apr 27 18:28:08 2024 +0800
>
> softirq: Fix suspicious RCU usage in __do_softirq()
>
> The problem was that I was testing with -next master which has that patch.
> It looks like you guys were testing against bb7a2467e6be which didn't have
> the patch, and so that's why you guys still hit the softirq/RCU issue. Later
> when you added that patch to your patch, it worked with syzbot.
>
> So is it safe to assume that the softirq/RCU patch above will be upstream
> when the vhost changes go in or is there a tag I need to add to my patches?
That patch is upstream now. I rebased and asked syzbot to test
https://lore.kernel.org/lkml/tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com/
on top.
If that passes I will squash.
next prev parent reply other threads:[~2024-05-01 16:15 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-30 8:25 [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read in vhost_task_fn syzbot
2024-04-30 9:31 ` Edward Adam Davis
2024-04-30 11:09 ` syzbot
2024-05-01 20:33 ` Michael S. Tsirkin
2024-04-30 11:02 ` Hillf Danton
2024-04-30 15:47 ` syzbot
2024-04-30 11:57 ` Edward Adam Davis
2024-04-30 15:34 ` syzbot
2024-04-30 13:05 ` [PATCH next] vhost_task: after freeing vhost_task it should not be accessed " Edward Adam Davis
2024-04-30 16:23 ` Mike Christie
2024-04-30 18:06 ` Michael S. Tsirkin
2024-05-01 0:15 ` Hillf Danton
2024-05-01 1:01 ` Mike Christie
2024-05-01 5:52 ` Michael S. Tsirkin
2024-05-01 6:01 ` Michael S. Tsirkin
2024-05-01 7:50 ` Hillf Danton
2024-05-01 15:57 ` Mike Christie
2024-05-01 16:04 ` Michael S. Tsirkin
2024-05-01 16:15 ` Michael S. Tsirkin [this message]
2024-04-30 22:50 ` [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read " Hillf Danton
2024-04-30 23:21 ` syzbot
2024-05-01 3:44 ` Edward Adam Davis
2024-05-01 10:13 ` syzbot
2024-05-01 16:12 ` Michael S. Tsirkin
2024-05-01 16:56 ` syzbot
2024-05-05 3:07 ` Edward Adam Davis
2024-05-05 3:40 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240501121411-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=eadavis@qq.com \
--cc=hdanton@sina.com \
--cc=jasowang@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.christie@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=virtualization@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.