similar to: [PATCH net V2] vhost: correctly remove wait queue during poll failure

On 2018?03?27? 17:28, Darren Kenny wrote: > Hi Jason, > > On Tue, Mar 27, 2018 at 11:47:22AM +0800, Jason Wang wrote: >> We tried to remove vq poll from wait queue, but do not check whether >> or not it was in a list before. This will lead double free. Fixing >> this by checking poll->wqh to make sure it was in a list. > > This text seems at odds with the code

On Tue, Mar 27, 2018 at 08:50:52PM +0800, Jason Wang wrote: > We tried to remove vq poll from wait queue, but do not check whether > or not it was in a list before. This will lead double free. Fixing > this by switching to use vhost_poll_stop() which zeros poll->wqh after > removing poll from waitqueue to make sure it won't be freed twice. > > Cc: Darren Kenny

Vq log_base is the userspace address of bitmap which has nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at

Vq log_base is the userspace address of bitmap which has nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+6304bf97ef436580fede at

We tried to remove vq poll from wait queue, but do not check whether or not it was in a list before. This will lead double free. Fixing this by checking poll->wqh to make sure it was in a list. Reported-by: syzbot+c0272972b01b872e604a at syzkaller.appspotmail.com Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") Signed-off-by: Jason Wang <jasowang at

On 2019/7/24 ??10:38, Eric Biggers wrote: > [This email was generated by a script. Let me know if you have any suggestions > to make it better, or if you want it re-generated with the latest status.] > > Of the currently open syzbot reports against the upstream kernel, I've manually > marked 3 of them as possibly being bugs in the vhost subsystem. I've listed > these

Looks like more iotlb locking mess? On Tue, Mar 19, 2019 at 10:21:00PM -0700, syzbot wrote: > syzbot has bisected this bug to: > > commit 6b1e6cc7855b09a0a9bfa1d9f30172ba366f161c > Author: Jason Wang <jasowang at redhat.com> > Date: Thu Jun 23 06:04:32 2016 +0000 > > vhost: new device IOTLB API > > bisection log:

Looks like more iotlb locking mess? On Tue, Mar 19, 2019 at 10:21:00PM -0700, syzbot wrote: > syzbot has bisected this bug to: > > commit 6b1e6cc7855b09a0a9bfa1d9f30172ba366f161c > Author: Jason Wang <jasowang at redhat.com> > Date: Thu Jun 23 06:04:32 2016 +0000 > > vhost: new device IOTLB API > > bisection log:

Fri, 26 Jul 2019 08:26:01 -0700 (PDT) > syzbot has bisected this bug to: > > commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 > Author: Linus Torvalds <torvalds at linux-foundation.org> > Date: Sun Jul 7 22:41:56 2019 +0000 > > Linux 5.2 > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=118810bfa00000 > start commit: 13bf6d6a Add

On Mon, Apr 6, 2020 at 8:46 AM syzbot <syzbot+d3a7951ed361037407db at syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: ffc1c20c Merge tag 'for-5.7/dm-changes' of git://git.kerne.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1690471fe00000 > kernel config:

On Mon, Apr 6, 2020 at 8:46 AM syzbot <syzbot+d3a7951ed361037407db at syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: ffc1c20c Merge tag 'for-5.7/dm-changes' of git://git.kerne.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1690471fe00000 > kernel config:

On Sat, Apr 7, 2018 at 3:02 AM, syzbot <syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com> wrote: > syzbot hit the following crash on upstream commit > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000) > Merge tag 'armsoc-drivers' of > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc > syzbot dashboard link: >

On Sat, Apr 7, 2018 at 3:02 AM, syzbot <syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com> wrote: > syzbot hit the following crash on upstream commit > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000) > Merge tag 'armsoc-drivers' of > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc > syzbot dashboard link: >

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this patch going

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this patch going

We used to call mutex_lock() in vhost_dev_lock_vqs() which tries to hold mutexes of all virtqueues. This may confuse lockdep to report a possible deadlock because of trying to hold locks belong to same class. Switch to use mutex_lock_nested() to avoid false positive. Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+dbb7c1161485e61b0241 at

We used to call mutex_lock() in vhost_dev_lock_vqs() which tries to hold mutexes of all virtqueues. This may confuse lockdep to report a possible deadlock because of trying to hold locks belong to same class. Switch to use mutex_lock_nested() to avoid false positive. Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") Reported-by: syzbot+dbb7c1161485e61b0241 at

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com > --- >

On Mon, Apr 09, 2018 at 05:44:36AM +0300, Michael S. Tsirkin wrote: > On Mon, Apr 09, 2018 at 10:37:45AM +0800, Stefan Hajnoczi wrote: > > On Sat, Apr 7, 2018 at 3:02 AM, syzbot > > <syzbot+65a84dde0214b0387ccd at syzkaller.appspotmail.com> wrote: > > > syzbot hit the following crash on upstream commit > > > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6

We used to accept zero size iova range which will lead a infinite loop in translate_desc(). Fixing this by failing the request in this case. Reported-by: syzbot+d21e6e297322a900c128 at syzkaller.appspotmail.com Fixes: 6b1e6cc7 ("vhost: new device IOTLB API") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 6 +++++- 1 file changed, 5 insertions(+), 1