From: "Michael S. Tsirkin" <mst@redhat.com>
To: Paolo Abeni <pabeni@redhat.com>
Cc: "Qing Ming" <a0yami@mailbox.org>,
"Jason Wang" <jasowang@redhat.com>,
"Eugenio Pérez" <eperezma@redhat.com>, Shirley <xma@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
kvm@vger.kernel.org, virtualization@lists.linux.dev,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] vhost/net: complete zerocopy ubufs only once
Date: Thu, 4 Jun 2026 19:14:14 -0400 [thread overview]
Message-ID: <20260604191341-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <b6182472-503c-43e9-a850-87cd40f86aa8@redhat.com>
On Thu, Jun 04, 2026 at 12:55:49PM +0200, Paolo Abeni wrote:
> On 6/1/26 12:43 PM, Qing Ming wrote:
> > vhost-net initializes one ubuf_info per outstanding zerocopy TX
> > descriptor and hands it to the backend socket. The networking stack may
> > then clone a zerocopy skb before all skb references are released. For
> > example, batman-adv fragmentation reaches skb_split(), which calls
> > skb_zerocopy_clone() and increments the same ubuf_info refcount.
> >
> > vhost_zerocopy_complete() currently treats every ubuf callback as a
> > completed vhost descriptor. It dereferences ubuf->ctx, writes the
> > descriptor completion state, and drops the vhost_net_ubuf_ref even when
> > the callback only releases a cloned skb reference. A backend reset can
> > therefore wait for and free the vhost_net_ubuf_ref while another cloned
> > skb still carries the same ubuf_info. A later completion then
> > dereferences the freed ubufs pointer.
> >
> > KASAN reports the stale completion as:
> >
> > BUG: KASAN: slab-use-after-free in vhost_zerocopy_complete+0x1d7/0x1f0
> > BUG: KASAN: slab-use-after-free in vhost_zerocopy_complete+0x101/0x1f0
> > vhost_zerocopy_complete
> > skb_copy_ubufs
> > __dev_forward_skb2
> > veth_xmit
> >
> > The freed object was allocated from vhost_net_ioctl() while setting the
> > backend and freed through kfree_rcu()/kvfree_rcu_bulk after backend
> > removal, while delayed skb completion still reached
> > vhost_zerocopy_complete().
> >
> > Honor the generic ubuf_info refcount before touching vhost state, and run
> > the vhost descriptor completion only for the final ubuf reference. This
> > matches the msg_zerocopy_complete() ownership rule for cloned zerocopy
> > skbs.
> >
> > Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
> > Signed-off-by: Qing Ming <a0yami@mailbox.org>
>
> The patch LGTM.
>
> @Michael: to you want to take it via your tree?
>
> /P
I wan't copied) Alright then.
prev parent reply other threads:[~2026-06-04 23:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 10:43 [PATCH net] vhost/net: complete zerocopy ubufs only once Qing Ming
2026-06-04 10:55 ` Paolo Abeni
2026-06-04 23:14 ` Michael S. Tsirkin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604191341-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=a0yami@mailbox.org \
--cc=davem@davemloft.net \
--cc=eperezma@redhat.com \
--cc=jasowang@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=virtualization@lists.linux.dev \
--cc=xma@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.