From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B75E327213 for ; Fri, 30 Jan 2026 10:16:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769768182; cv=none; b=AVHh9oAMu8+k/NYCMIqgEz33SaxbXe3nK9UkYV381WA0ihhxN7kjwnHJQTLkddKHMjAItw4qo2/l/3zi5PqbddEd4HryN4BrWl6S5talCzpteqxEEr6ExGwomKAEkbEAQ+GM4ndKCcqsdu/o0XJIvOvUqbUaqE78Xmdy+XoC+AM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769768182; c=relaxed/simple; bh=wDiVkyqU9C0vk9M4TKF5Wcavq9FOed38ZuYx7EmboGQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=EqsTLeaTauQxs+tjxA7UHQYm/qpivw59nlZiysaiwJWKo9LutGo0XgOWuY9L9cvK1ZBbJHYFsiO+9PKSVpS6dwX1NUoQH53Jf/iAczbVRKWx3XqTs9xWheUecvn0MblWUHSkR8NLG+5wJlF8ICO3+J5TBf+LPQXM/ohcKrsGA9o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=eiIavUZT; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=mHxCDk4Y; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="eiIavUZT"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="mHxCDk4Y" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1769768178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dsp10hElzOX/V0wpyRfKhh5/ZNh15PcbrtBbOpulVsA=; b=eiIavUZTdLhg44Bx5FSAX+cNmpTpe7soWGfk0h1c0WP3OZHGrp6bxzim/3jgn5oZ30lrlJ BfqakrMCR9ZnGUFxFUB3pz3rjamPT9wqenqSxgPyeQkVUF91++9YwQYm5y2Gh6FFE6dIF6 u5oU2TjaBN1+lnWglny6U2khIHgUDXA= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-380-N5VGM2HaPLiYFz5D5tvbBw-1; Fri, 30 Jan 2026 05:16:17 -0500 X-MC-Unique: N5VGM2HaPLiYFz5D5tvbBw-1 X-Mimecast-MFC-AGG-ID: N5VGM2HaPLiYFz5D5tvbBw_1769768176 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-477c49f273fso17208575e9.3 for ; Fri, 30 Jan 2026 02:16:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1769768176; x=1770372976; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=dsp10hElzOX/V0wpyRfKhh5/ZNh15PcbrtBbOpulVsA=; b=mHxCDk4Yt2AIfeRL12rcBG0w/xu1NFIYrcr0hFamHmmeguyYZ7qy4rKbAppTDpV+4l Nr3pv6GDHFEO+TZ51o76mQwQUBOeMB9L82u5dkxUuNvZ3t/kbHNwdTWTZW9sic/uVmWR RnnIrRgOBdIaTJibMrR/R6Kag1WUurYh2thFbh0y/w0E/XH9FYnK+oJRXvXmh3JETdj6 ETmpj44y3YZYh9V1j38rAn7Dk4a/ipDuyfDkQbpidFKkUnRRHGNO+uBNP6myliz+td+r lHX8DQ4JKQy8ec19j5o5E2GRBGc/sVL/ANNsppOC5FN0DbmFk7rsnP7YX1aH1JcY3P4Z WhXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769768176; x=1770372976; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dsp10hElzOX/V0wpyRfKhh5/ZNh15PcbrtBbOpulVsA=; b=MPb8D4U2ypU7JbaVmhN6SJbIjZtx6gfJEsWNeiReJxyhcvBNy6R2Be+DnfmxtgWF2C 7PU29YDJWfgnxO930IrhqrHoh/lkbGilNgwI1F6Ic1REr1WrXKAjm9hhdPQUC0PBVoHM osUwrFQBJ66QPYZn2fBLV7Qu9Oevd/tMpCuVi56Q77JdQJE3FZZexyT2shYItZnLAyua 94pdwtp5TkR6r9JpmY6siJNLtUEMrOIW6ANvhED/twGET9H4+XWoQtN1EckwuVgv1YXK fkh3/8A1hsWkXjcy81OKPZeucuz8RtuX2ydYygZzwXUupObZalO2v+6Vk02aopOK87FF dbMQ== X-Forwarded-Encrypted: i=1; AJvYcCWq6qIG8d2Yk1AMMptY18DZUsF4c+mVS3QXGOA++AdkcKED1//gaviMIlsT+MyOPtLiwOIl2ZOHUnUTzjo=@vger.kernel.org X-Gm-Message-State: AOJu0YzbQnxg0jZYYB4nIo84PnNTCLN32+hIfGNyDGDPNNivGAUggn+E NGUOq/oY76kMtWdevzb3EnilcPeIPAoPKBaTGKOp0TYd8dUDog9wCbtzd8nyDp6q7QpL2zcfH46 NB7Jq+sjhkfCJM3XAIbHoM2ym8qASD4HFvpuhB+y8uRqaiijqZt1gvi6VqOFsUwp7bQ== X-Gm-Gg: AZuq6aJJo6QkO4WSjnP0m9HGeljuRsfW1uhlTXL/9b250NvEJ7Y6DF8IOA3/RgQ2G1/ Em5/Hj3ephltY2WNA5jh2Me1luEvawK/Wi1gMe6bdD078r8tuCXK/zj2v5Ix3DgFQWZ5WXLU61p qjsgmyWJFTbsdhHkOZvNV+Oi/jIef1qbnCIQwuBGPyNfPmPtE3zFIJgrCgeICc6YMrD9JPP0r56 ee6zTactOR9Eq9LN/4ZNRlUl3gwRqkCG4Ppcjrp8sNicotsmY+AK3waIRuJ2fTYPBMujj72ZN6u fOvrqGxGpqSkWJ15sEIKllezQDpA2ld/SsVoAEUeCCOLwePT/2jM2z8yKpfwHLKrIOkk4ea838X 30EabgbQCANjWoE0LdEbajww+6rknh9tR6g== X-Received: by 2002:a05:600c:3152:b0:47d:6140:3284 with SMTP id 5b1f17b1804b1-482db4a1011mr24847485e9.37.1769768175824; Fri, 30 Jan 2026 02:16:15 -0800 (PST) X-Received: by 2002:a05:600c:3152:b0:47d:6140:3284 with SMTP id 5b1f17b1804b1-482db4a1011mr24847135e9.37.1769768175303; Fri, 30 Jan 2026 02:16:15 -0800 (PST) Received: from redhat.com (IGLD-80-230-34-155.inter.net.il. [80.230.34.155]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-482da903a30sm22140855e9.1.2026.01.30.02.16.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 02:16:14 -0800 (PST) Date: Fri, 30 Jan 2026 05:16:12 -0500 From: "Michael S. Tsirkin" To: Zhang Tianci Cc: jasowang@redhat.com, xuanzhuo@linux.alibaba.com, eperezma@redhat.com, marco.crivellari@suse.com, anders.roxell@linaro.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, Xie Yongji Subject: Re: [PATCH] vduse: Fix msg list race in vduse_dev_read_iter Message-ID: <20260130050818-mutt-send-email-mst@kernel.org> References: <20260130081524.81271-1-zhangtianci.1997@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260130081524.81271-1-zhangtianci.1997@bytedance.com> Thanks for the patch! yet something to improve: On Fri, Jan 30, 2026 at 04:15:24PM +0800, Zhang Tianci wrote: > Move the message to recv_list before dropping msg_lock and copying the > request to userspace, avoiding a transient unlinked state that can race > with the msg_sync timeout path. Roll back to send_list on copy failures. this is not how you write commit messages, though. describe the problem then how you fix it, please. something like: if msg_sync timeout triggers after a message has been removed from send_list and before it was added to recv_list, then .... as a result .... To fix, move the message ... > > Signed-off-by: Zhang Tianci > Reviewed-by: Xie Yongji > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 30 ++++++++++++++++++++++-------- > 1 file changed, 22 insertions(+), 8 deletions(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index ae357d014564c..b6a558341c06c 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -325,6 +325,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to) > struct file *file = iocb->ki_filp; > struct vduse_dev *dev = file->private_data; > struct vduse_dev_msg *msg; > + struct vduse_dev_request req; > int size = sizeof(struct vduse_dev_request); > ssize_t ret; > > @@ -339,7 +340,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to) > > ret = -EAGAIN; > if (file->f_flags & O_NONBLOCK) > - goto unlock; > + break; > > spin_unlock(&dev->msg_lock); > ret = wait_event_interruptible_exclusive(dev->waitq, > @@ -349,17 +350,30 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to) > > spin_lock(&dev->msg_lock); > } > + if (!msg) { > + spin_unlock(&dev->msg_lock); > + return ret; > + } > + > + memcpy(&req, &msg->req, sizeof(req)); > + /* > + * Move @msg to recv_list before dropping msg_lock. > + * This avoids a window where @msg is detached from any list and > + * vduse_dev_msg_sync() timeout path may operate on an unlinked node. > + */ when standing by itself, not as part of the patch, this comment confuses more than it clarifies. > + vduse_enqueue_msg(&dev->recv_list, msg); > spin_unlock(&dev->msg_lock); > - ret = copy_to_iter(&msg->req, size, to); > - spin_lock(&dev->msg_lock); > + > + ret = copy_to_iter(&req, size, to); > if (ret != size) { > + spin_lock(&dev->msg_lock); > + /* Roll back: move msg back to send_list if still pending. */ > + msg = vduse_find_msg(&dev->recv_list, req.request_id); Looks like this always scans the whole list. Make a variant using list_for_each_entry_reverse maybe? > + if (msg) > + vduse_enqueue_msg(&dev->send_list, msg); why is it not a concern that it will be at the tail of the send_list now, reordering the messages? > + spin_unlock(&dev->msg_lock); > ret = -EFAULT; > - vduse_enqueue_msg(&dev->send_list, msg); > - goto unlock; > } > - vduse_enqueue_msg(&dev->recv_list, msg); > -unlock: > - spin_unlock(&dev->msg_lock); > > return ret; > } > -- > 2.39.5