search for: 6304bf97ef436580fede

...nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5d5a9d9..5320039 100644 --- a/drivers/vhost/vhost.c...

...nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5d5a9d9..5320039 100644 --- a/drivers/vhost/vhost.c...

We tried to remove vq poll from wait queue, but do not check whether or not it was in a list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at

We tried to remove vq poll from wait queue, but do not check whether or not it was in a list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at

...bot+c0272972b01b872e604a at syzkaller.appspotmail.com > Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") > Signed-off-by: Jason Wang <jasowang at redhat.com> OK with this the only bug we have is where get user pages returns 0 (Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com) > --- > Changes from V1: > - tweak the commit log for to match the code > --- > drivers/vhost/vhost.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 1b3e8d...

.... So it needs to be validated unconditionally otherwise we > may try use 0 as log_base which may lead to pin pages that will lead > unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). > > Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") > Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com > Signed-off-by: Jason Wang <jasowang at redhat.com> Acked-by: Michael S. Tsirkin <mst at redhat.com> stable material I guess. > --- > drivers/vhost/vhost.c | 14 ++++++-------- > 1 file changed, 6 insertions(+), 8 deletions(-) > > dif...

.... So it needs to be validated unconditionally otherwise we > may try use 0 as log_base which may lead to pin pages that will lead > unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). > > Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") > Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com > Signed-off-by: Jason Wang <jasowang at redhat.com> One follow-up question: We still observe that get user pages returns 0 sometimes. While I agree we should not pass in unvalidated addresses, isn't this worth documenting? > --- > drivers/vhost...

.../linux So far this crash happened 2 times on upstream. C reproducer is attached. syzkaller reproducer is attached. Raw console output is attached. compiler: gcc (GCC) 7.1.1 20170620 .config is attached. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. audit: type=1400 audit(1521377060.016:6): avc: denied { map } for pid=4210 comm="bash" path="/bin/bash"...