From: sashiko-bot@kernel.org
To: "Ziyu Zhang" <ziyuzhang201@gmail.com>
Cc: linux-hyperv@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH net v2] vsock: keep poll shutdown state consistent
Date: Sat, 30 May 2026 00:44:05 +0000 [thread overview]
Message-ID: <20260530004405.C65901F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260519165636.62542-1-ziyuzhang201@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Concurrent non-atomic read-modify-write on vsk->peer_shutdown without synchronization leads to lost shutdown flags, potentially hanging host processes.
--
commit d7feaefbab86483ded481345d096a59fb79a2b29
Author: Ziyu Zhang <ziyuzhang201@gmail.com>
vsock: keep poll shutdown state consistent
This patch updates vsock polling to use a consistent snapshot of the
peer_shutdown state to avoid race conditions between checking for
HUP/RDHUP and EOF readability. It introduces lockless READ_ONCE and
WRITE_ONCE accessors for peer_shutdown in datagram and stream sockets.
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
[ ... ]
> @@ -1542,7 +1542,9 @@ static int vmci_transport_recv_connected(struct sock *sk,
> if (pkt->u.mode) {
> vsk = vsock_sk(sk);
>
> - vsk->peer_shutdown |= pkt->u.mode;
> + WRITE_ONCE(vsk->peer_shutdown,
> + READ_ONCE(vsk->peer_shutdown) |
> + pkt->u.mode);
[Severity: High]
This is a pre-existing issue, but does this non-atomic read-modify-write
sequence risk losing concurrent updates to the shutdown mask?
While vmci_transport_recv_connected() executes under lock_sock(),
vmci_transport_handle_detach() can be called from softirq context via
the queue pair detach event.
The detach event uses bh_lock_sock() without checking sock_owned_by_user()
to defer execution to the socket backlog. Because lock_sock() releases
the inner spinlock while setting sk_lock.owned=1, bh_lock_sock() can
successfully acquire the lock and execute concurrently.
If the softirq executes exactly between the READ_ONCE() and WRITE_ONCE()
calls here:
CPU 1 (vmci_transport_recv_connected):
read = READ_ONCE(vsk->peer_shutdown);
CPU 2 (softirq detach callback):
vmci_transport_handle_detach()
WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
CPU 1 (vmci_transport_recv_connected):
WRITE_ONCE(vsk->peer_shutdown, read | pkt->u.mode);
Could CPU 1 overwrite the SHUTDOWN_MASK written by CPU 2? If the
SHUTDOWN_MASK is lost, it appears host processes blocking in poll()
could be left sleeping indefinitely because the connection closure flags
won't be fully recognized.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519165636.62542-1-ziyuzhang201@gmail.com?part=1
prev parent reply other threads:[~2026-05-30 0:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 16:56 [PATCH net v2] vsock: keep poll shutdown state consistent Ziyu Zhang
2026-05-22 18:30 ` patchwork-bot+netdevbpf
2026-05-30 0:44 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530004405.C65901F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=ziyuzhang201@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox