[PATCH v4 0/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[PATCH v4 0/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[Zhang Tianci]

Changes in v4:
 - Simplify code.                                 [Jason]
 - Add comment for rolling back.                  [Jason]
 - Link to v3: https://lore.kernel.org/lkml/20260202072655.95143-1-zhangtianci.1997@bytedance.com/

Changes in v3:
 - Add first patch.
 - Link to v2: https://lore.kernel.org/lkml/20260202031212.26871-1-zhangtianci.1997@bytedance.com/

Changes in v2:
 - Rewrite commit message.                        [Michael]
 - Add Fixes tag and cc stable email list.        [Eugenio]
 - Rewrite one comment.                           [Michael]
 - Link to v1: https://lore.kernel.org/lkml/20260130081524.81271-1-zhangtianci.1997@bytedance.com/


Zhang Tianci (2):
  vduse: Requeue failed read to send_list head
  vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

 drivers/vdpa/vdpa_user/vduse_dev.c | 43 +++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 10 deletions(-)

-- 
2.39.5

[PATCH v4 1/2] vduse: Requeue failed read to send_list head

[Zhang Tianci]

When copy_to_iter() fails in vduse_dev_read_iter(), put the message back
at the head of send_list to preserve FIFO ordering and retry the oldest
pending request first.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Suggested-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index ae357d014564c..b37f18a0ce6fd 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -194,6 +194,12 @@ static void vduse_enqueue_msg(struct list_head *head,
 	list_add_tail(&msg->list, head);
 }
 
+static void vduse_enqueue_msg_head(struct list_head *head,
+				   struct vduse_dev_msg *msg)
+{
+	list_add(&msg->list, head);
+}
+
 static void vduse_dev_broken(struct vduse_dev *dev)
 {
 	struct vduse_dev_msg *msg, *tmp;
@@ -354,7 +360,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to)
 	spin_lock(&dev->msg_lock);
 	if (ret != size) {
 		ret = -EFAULT;
-		vduse_enqueue_msg(&dev->send_list, msg);
+		vduse_enqueue_msg_head(&dev->send_list, msg);
 		goto unlock;
 	}
 	vduse_enqueue_msg(&dev->recv_list, msg);
-- 
2.39.5

Re: [PATCH v4 1/2] vduse: Requeue failed read to send_list head

[Jason Wang]

On Thu, Feb 26, 2026 at 7:56 PM Zhang Tianci
<zhangtianci.1997@bytedance.com> wrote:
>
> When copy_to_iter() fails in vduse_dev_read_iter(), put the message back
> at the head of send_list to preserve FIFO ordering and retry the oldest
> pending request first.
>
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Suggested-by: Xie Yongji <xieyongji@bytedance.com>
> Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
> Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
> ---

Acked-by: Jason Wang <jasowang@redhat.com>

Thanks

[PATCH v4 2/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[Zhang Tianci]

There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter:

vduse_dev_read_iter():
    lock(msg_lock);
    dequeue_msg(send_list);
    unlock(msg_lock);
vduse_dev_msg_sync():
    wait_timeout() finish
    lock(msg_lock);
    check msg->complete is false
        list_del(msg);   <- double list_del() crash!

To fix this case, we shall ensure vduse_msg is on send_list or recv_list
outside the msg_lock critical section.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 37 ++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index b37f18a0ce6fd..1ca1811f7594a 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -331,6 +331,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to)
 	struct file *file = iocb->ki_filp;
 	struct vduse_dev *dev = file->private_data;
 	struct vduse_dev_msg *msg;
+	struct vduse_dev_request req;
 	int size = sizeof(struct vduse_dev_request);
 	ssize_t ret;
 
@@ -342,12 +343,11 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to)
 		msg = vduse_dequeue_msg(&dev->send_list);
 		if (msg)
 			break;
+		spin_unlock(&dev->msg_lock);
 
-		ret = -EAGAIN;
 		if (file->f_flags & O_NONBLOCK)
-			goto unlock;
+			return -EAGAIN;
 
-		spin_unlock(&dev->msg_lock);
 		ret = wait_event_interruptible_exclusive(dev->waitq,
 					!list_empty(&dev->send_list));
 		if (ret)
@@ -355,17 +355,34 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, struct iov_iter *to)
 
 		spin_lock(&dev->msg_lock);
 	}
+
+	memcpy(&req, &msg->req, sizeof(req));
+	/*
+	 * We must ensure vduse_msg is on send_list or recv_list before unlock
+	 * dev->msg_lock. Because vduse_dev_msg_sync() may be timeout when we
+	 * copy data to userspace, and will call list_del() for this msg.
+	 */
+	vduse_enqueue_msg(&dev->recv_list, msg);
 	spin_unlock(&dev->msg_lock);
-	ret = copy_to_iter(&msg->req, size, to);
-	spin_lock(&dev->msg_lock);
+
+	ret = copy_to_iter(&req, size, to);
 	if (ret != size) {
+		/*
+		 * Roll back: move msg back to send_list if still pending.
+		 *
+		 * NOTE:
+		 * vduse_find_msg() must use req.request_id instead of `msg`.
+		 * A malicious userspace may reply to this request, and wake up
+		 * the caller, after which `msg` will have already been freed.
+		 * And here vduse_find_msg() will return NULL then do nothing.
+		 */
+		spin_lock(&dev->msg_lock);
+		msg = vduse_find_msg(&dev->recv_list, req.request_id);
+		if (msg)
+			vduse_enqueue_msg_head(&dev->send_list, msg);
+		spin_unlock(&dev->msg_lock);
 		ret = -EFAULT;
-		vduse_enqueue_msg_head(&dev->send_list, msg);
-		goto unlock;
 	}
-	vduse_enqueue_msg(&dev->recv_list, msg);
-unlock:
-	spin_unlock(&dev->msg_lock);
 
 	return ret;
 }
-- 
2.39.5

Re: [PATCH v4 2/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[Jason Wang]

On Thu, Feb 26, 2026 at 7:56 PM Zhang Tianci
<zhangtianci.1997@bytedance.com> wrote:
>
> There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter:
>
> vduse_dev_read_iter():
>     lock(msg_lock);
>     dequeue_msg(send_list);
>     unlock(msg_lock);
> vduse_dev_msg_sync():
>     wait_timeout() finish
>     lock(msg_lock);
>     check msg->complete is false
>         list_del(msg);   <- double list_del() crash!
>
> To fix this case, we shall ensure vduse_msg is on send_list or recv_list
> outside the msg_lock critical section.
>
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
> Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
> ---

Acked-by: Jason Wang <jasowang@redhat.com>

Thanks

Re: [PATCH v4 0/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[Eugenio Perez Martin]

On Thu, Feb 26, 2026 at 12:56 PM Zhang Tianci
<zhangtianci.1997@bytedance.com> wrote:
>
> Changes in v4:
>  - Simplify code.                                 [Jason]
>  - Add comment for rolling back.                  [Jason]
>  - Link to v3: https://lore.kernel.org/lkml/20260202072655.95143-1-zhangtianci.1997@bytedance.com/
>
> Changes in v3:
>  - Add first patch.
>  - Link to v2: https://lore.kernel.org/lkml/20260202031212.26871-1-zhangtianci.1997@bytedance.com/
>
> Changes in v2:
>  - Rewrite commit message.                        [Michael]
>  - Add Fixes tag and cc stable email list.        [Eugenio]
>  - Rewrite one comment.                           [Michael]
>  - Link to v1: https://lore.kernel.org/lkml/20260130081524.81271-1-zhangtianci.1997@bytedance.com/
>
>
> Zhang Tianci (2):
>   vduse: Requeue failed read to send_list head
>   vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter
>
>  drivers/vdpa/vdpa_user/vduse_dev.c | 43 +++++++++++++++++++++++-------
>  1 file changed, 33 insertions(+), 10 deletions(-)
>

Acked-by: Eugenio Pérez <eperezma@redhat.com>

Thanks!

Re: [PATCH v4 0/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

[Michael S. Tsirkin]

On Thu, Feb 26, 2026 at 07:55:48PM +0800, Zhang Tianci wrote:
> Changes in v4:
>  - Simplify code.                                 [Jason]
>  - Add comment for rolling back.                  [Jason]
>  - Link to v3: https://lore.kernel.org/lkml/20260202072655.95143-1-zhangtianci.1997@bytedance.com/
> 
> Changes in v3:
>  - Add first patch.
>  - Link to v2: https://lore.kernel.org/lkml/20260202031212.26871-1-zhangtianci.1997@bytedance.com/
> 
> Changes in v2:
>  - Rewrite commit message.                        [Michael]
>  - Add Fixes tag and cc stable email list.        [Eugenio]
>  - Rewrite one comment.                           [Michael]
>  - Link to v1: https://lore.kernel.org/lkml/20260130081524.81271-1-zhangtianci.1997@bytedance.com/


Acked-by: Michael S. Tsirkin <mst@redhat.com>

> 
> Zhang Tianci (2):
>   vduse: Requeue failed read to send_list head
>   vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter
> 
>  drivers/vdpa/vdpa_user/vduse_dev.c | 43 +++++++++++++++++++++++-------
>  1 file changed, 33 insertions(+), 10 deletions(-)
> 
> -- 
> 2.39.5