search for: c0272972b01b872e604a

...check whether or not it was in a list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - tweak the commit log for to match the code --- drivers/vhost/vhost.c | 3 +-- 1 file changed, 1 inse...

...check whether or not it was in a list before. This will lead double free. Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice. Cc: Darren Kenny <darren.kenny at oracle.com> Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from V1: - tweak the commit log for to match the code --- drivers/vhost/vhost.c | 3 +-- 1 file changed, 1 inse...

...owing crash on upstream commit > 99fec39e7725d091c94d1bb0242e40c8092994f6 (Fri Mar 23 22:34:18 2018 +0000) > Merge tag 'trace-v4.16-rc4' of > git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace > syzbot dashboard link: > https://syzkaller.appspot.com/bug?extid=c0272972b01b872e604a > > So far this crash happened 4 times on upstream. > C reproducer is attached. > syzkaller reproducer is attached. > Raw console output is attached. > .config is attached. > compiler: gcc (GCC) 7.1.1 20170620 > > IMPORTANT: if you fix the bug, please add the following ta...

...9;s bad, thanks for pointing out. How about: "Fixing this by switching to use vhost_poll_stop() which zeros poll->wqh after removing poll from waitqueue to make sure it won't be freed twice." Thanks > > Thanks, > > Darren. > >> >> Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com >> Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting >> backend") >> Signed-off-by: Jason Wang <jasowang at redhat.com> >> --- >> drivers/vhost/vhost.c | 3 +-- >> 1 file changed, 1 insertion(+), 2 d...

We tried to remove vq poll from wait queue, but do not check whether or not it was in a list before. This will lead double free. Fixing this by checking poll->wqh to make sure it was in a list. Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/vhost/vhost.c b/dri...

...was in a list before. This will lead double free. Fixing > this by switching to use vhost_poll_stop() which zeros poll->wqh after > removing poll from waitqueue to make sure it won't be freed twice. > > Cc: Darren Kenny <darren.kenny at oracle.com> > Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com > Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") > Signed-off-by: Jason Wang <jasowang at redhat.com> OK with this the only bug we have is where get user pages returns 0 (Reported-by: syzbot+6304bf97ef436580fede at...