search for: appspotmail

...list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - tweak the commit log for to match the code --- drivers/vhost/vhost.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)...

...list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - tweak the commit log for to match the code --- drivers/vhost/vhost.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)...

...08:12:18 2019 +0000 > > ??vhost: access vq metadata through kernel virtual address > > No one has replied to the original thread for this bug yet. > > If you fix this bug, please add the following tag to the commit: > Reported-by: syzbot+8267e9af795434ffadad at syzkaller.appspotmail.com > > If you send any email or patch for this bug, please reply to the original > thread. For the git send-email command to use, or tips on how to reply if the > thread isn't in your mailbox, see the "Reply instructions" at > https://lkml.kernel.org/r/00000000000045e...

...eeds to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5d5a9d9..5320039 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhos...

...eeds to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5d5a9d9..5320039 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhos...

...l virtqueues. This may confuse lockdep to report a possible deadlock because of trying to hold locks belong to same class. Switch to use mutex_lock_nested() to avoid false positive. Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+dbb7c1161485e61b0241 at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 33ac2b1..549771a 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -904,7 +...

...l virtqueues. This may confuse lockdep to report a possible deadlock because of trying to hold locks belong to same class. Switch to use mutex_lock_nested() to avoid false positive. Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+dbb7c1161485e61b0241 at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 33ac2b1..549771a 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -904,7 +...

We used to accept zero size iova range which will lead a infinite loop in translate_desc(). Fixing this by failing the request in this case. Reported-by: syzbot+d21e6e297322a900c128 at syzkaller.appspotmail.com Fixes: 6b1e6cc7 ("vhost: new device IOTLB API") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5ace833de746..351af88231ad 1...

...tqueue mutex in vhost_net_rx_peek_head_len() after RX virtqueue mutex is held in handle_rx(). This requires an appropriate lock nesting notation to calm down deadlock detector. Fixes: 0308813724606 ("vhost_net: basic polling support") Reported-by: syzbot+7f073540b1384a614e09 at syzkaller.appspotmail.com Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 8139bc7..12bcfba 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -630,7 +630,7...

...eate is supposed to return the vhost_task or NULL on failure. This fixes it to return the correct value when the allocation of the struct fails. Fixes: 77feab3c4156 ("vhost_task: Allow vhost layer to use copy_process") # mainline only Reported-by: syzbot+6b27b2d2aba1c80cc13b at syzkaller.appspotmail.com Signed-off-by: Mike Christie <michael.christie at oracle.com> --- kernel/vhost_task.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c index 4b8aff160640..b7cbd66f889e 100644 --- a/kernel/vhost_task.c +++ b/kernel/vhost_task.c...

On Sat, Apr 7, 2018 at 3:02 AM, syzbot <syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com> wrote: > syzbot hit the following crash on upstream commit > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000) > Merge tag 'armsoc-drivers' of > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc > syzbot dashboard link: > https://syzk...

The access of vsock is not protected by vhost_vsock_lock. This may lead use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the acess. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") Cc: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Jason Wang <jasowang at redhat.com> --- - The patch is needed for -stable. --- driv...

On Sat, Apr 7, 2018 at 3:02 AM, syzbot <syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com> wrote: > syzbot hit the following crash on upstream commit > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000) > Merge tag 'armsoc-drivers' of > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc > syzbot dashboard link: > https://syzk...

The access of vsock is not protected by vhost_vsock_lock. This may lead use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the acess. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") Cc: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Jason Wang <jasowang at redhat.com> --- - The patch is needed for -stable. --- driv...

...dashboard link: https://syzkaller.appspot.com/bug?extid=36e93b425cd6eb54fcc1 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15112f3fa00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131ab578600000 > > Reported-by: syzbot+36e93b425cd6eb54fcc1 at syzkaller.appspotmail.com > Fixes: 0ecfebd2b524 ("Linux 5.2") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -787,7 +787,6 @@ static void vhost_setup_uaddr(struct vho size_t size, bool write) {...

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") Cc: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Jason Wang <jasowang at redhat.com> --- - V2: fix typos - The patch is needed for -s...

The access of vsock is not protected by vhost_vsock_lock. This may lead to use after free since vhost_vsock_dev_release() may free the pointer at the same time. Fix this by holding the lock during the access. Reported-by: syzbot+e3e074963495f92a89ed at syzkaller.appspotmail.com Fixes: 16320f363ae1 ("vhost-vsock: add pkt cancel capability") Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") Cc: Stefan Hajnoczi <stefanha at redhat.com> Signed-off-by: Jason Wang <jasowang at redhat.com> --- - V2: fix typos - The patch is needed for -s...

...>iotlb) return 1; return A && B; After the patch the short-circuit logic for A was inverted: if (A || vq->iotlb) return A; return B; The correct logic is: if (!A || vq->iotlb) return A; return B; Reported-by: syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com Cc: Jason Wang <jasowang at redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com> --- drivers/vhost/vhost.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5320039671b7..f6af4210679a 100644 --- a/...

...>iotlb) return 1; return A && B; After the patch the short-circuit logic for A was inverted: if (A || vq->iotlb) return A; return B; The correct logic is: if (!A || vq->iotlb) return A; return B; Reported-by: syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com Cc: Jason Wang <jasowang at redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com> --- drivers/vhost/vhost.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5320039671b7..f6af4210679a 100644 --- a/...

On Mon, Apr 6, 2020 at 8:46 AM syzbot <syzbot+d3a7951ed361037407db at syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: ffc1c20c Merge tag 'for-5.7/dm-changes' of git://git.kerne.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1690471fe00000 > kernel confi...