Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp162676pxb; Thu, 17 Feb 2022 00:55:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJwdUpHgiwUo4jjvtSXCebcFh+hV0rRMajUs30YPSPvnBxTjkRr1+b55E/k/tqx819yolrox X-Received: by 2002:a05:6402:4c6:b0:406:d579:2c4 with SMTP id n6-20020a05640204c600b00406d57902c4mr1568579edw.52.1645088152532; Thu, 17 Feb 2022 00:55:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645088152; cv=none; d=google.com; s=arc-20160816; b=Xr3mrrpLeOK6sciuu7tA8Ce3p+BdclKtXHgPWu+gLwJv4pmoU1yLvswO7iAlkgaQAa 3PtD4CJ6/Q8TnuF6VTg/KT8UgGMGq2b4xTNE+xwg9lzRMjHE4r6RM8/AgUqOjTPbxWw6 HP2szfqCsz3lq2yMX1pR+b4Jfc0t/med+HeltzeGEOHPl124CpXfya3Fn5nVRKMGXrzg e6OfqKfvKrCkKHQrPEQP1+F5XJ73SVywFZGOrv7jEG4A1h/PCkKq9SKnZTdlgN8VLtLT q73+tnZ+lKFafx02egedNZSqYNomAd2+cOiVtV+6Sv0aNru30n2Da9Rt60EWvLfyq5hj ZxLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=rJLeRRRT6Tqb/vof7ko+2CPNnPMscN75UELtUDfPjyk=; b=r8ppeVfnc0D+nMy2eMFGhBeEV3JXoGCRRKPHd6JF6NGfV3KWtK5JUqRJmhWsQ8BQaX uHdBDa+JB6fHEzC3vCML6kydv/FkNl4QgvgpVJRc02uK909GnkS0qYS40GcJxVGNOMzc nvyhbHpRV/F2GtYFZyEMlgaWX2+uAXhJsbPuelbvFJxGSi539Po/yHENwtQTpdKTBgA2 x0OgOErwE7mb9AwmgKCkuR6anyWBIItG+M1ufcMgQxDhg4GoGDb2AXjZBErL/XqvPHXQ DhInn05SfD9UQI0m48wrC1STfIDx1ILuGy6k+tz0g5L3uuy+Ph6e8AtIbkfWkmW1Ph8V 3Ncg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KD+o7Tjr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb4si1530899ejc.129.2022.02.17.00.55.11; Thu, 17 Feb 2022 00:55:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KD+o7Tjr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236455AbiBQHkV (ORCPT + 99 others); Thu, 17 Feb 2022 02:40:21 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:49290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236442AbiBQHkS (ORCPT ); Thu, 17 Feb 2022 02:40:18 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B4B3B2A39CF for ; Wed, 16 Feb 2022 23:40:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645083603; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rJLeRRRT6Tqb/vof7ko+2CPNnPMscN75UELtUDfPjyk=; b=KD+o7TjrMaLGuBbrinM0pX5H8cQM2qjqMdl4NWWpX3KUtYv8Z+MGQWtoEHkkeiMEcTSC/o mM0dRj6LnlgcjY7AB14+jiedcQcErwZIbF4KeKQpeSh5AcGdJ9Ht1Ryba1GfuzINX5PN33 jkQ+GQVlBB4dzUOORk72w1+8FPvnGLM= Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-18-sABLGxQAPVi0kp3irVgF0g-1; Thu, 17 Feb 2022 02:40:02 -0500 X-MC-Unique: sABLGxQAPVi0kp3irVgF0g-1 Received: by mail-lf1-f70.google.com with SMTP id o25-20020ac24e99000000b004421aff5064so1552657lfr.7 for ; Wed, 16 Feb 2022 23:40:02 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rJLeRRRT6Tqb/vof7ko+2CPNnPMscN75UELtUDfPjyk=; b=2MbodJZLzdOONC1GIbvpNE268SpNv4oRGDOFig0G3JyjlxgZFaWOKRDko/irEoGn3c W4lglcRPEe/Klbu0J1qM0yWnqiSLl7/2EPcTcBJqt5hhLajHgA1UV6rFCvksCrL7vb37 SmjMLMVTo+uYwEh4GDtWlT5CoUjr0ZuGQ7PoH1v+kFIeAYdYMpMloLk4JoArpEueW+jX x5TMU3LXbUbtsT2HHhtg7WI/hKUyvoteSMhycZTwTSXnN6z+bBzIxrD/feF4YjgjKO3D 697dDrMVL25Bno9rYFl45rRcm0WPZ/wgahhAPbudD9dIeCXuleNC0WRwC6azSpvQIgXa ty8A== X-Gm-Message-State: AOAM530vTD8Jp8pY5Db6N6giQ5dvjqgkL9RV0eW42/pag4fui2UB8Gaq syjD07pD2KAL4RDzVm+nMiPLC5PGbwX0SAW56nVx2JfU4kO/tI8SzVxkMvgcH+FpLMrhP0s58oj RClUnHZyHKq0PnCPtOOlA1NX6adP+6qyFB4JBrtIV X-Received: by 2002:a2e:8798:0:b0:244:d49b:956a with SMTP id n24-20020a2e8798000000b00244d49b956amr1310848lji.420.1645083599957; Wed, 16 Feb 2022 23:39:59 -0800 (PST) X-Received: by 2002:a2e:8798:0:b0:244:d49b:956a with SMTP id n24-20020a2e8798000000b00244d49b956amr1310825lji.420.1645083599674; Wed, 16 Feb 2022 23:39:59 -0800 (PST) MIME-Version: 1.0 References: <0000000000006f656005d82d24e2@google.com> <20220217023550-mutt-send-email-mst@kernel.org> In-Reply-To: <20220217023550-mutt-send-email-mst@kernel.org> From: Jason Wang Date: Thu, 17 Feb 2022 15:39:48 +0800 Message-ID: Subject: Re: [syzbot] WARNING in vhost_dev_cleanup (2) To: "Michael S. Tsirkin" Cc: syzbot , kvm , linux-kernel , netdev , syzkaller-bugs@googlegroups.com, virtualization , Stefan Hajnoczi , Stefano Garzarella Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 17, 2022 at 3:36 PM Michael S. Tsirkin wrote: > > On Thu, Feb 17, 2022 at 03:34:13PM +0800, Jason Wang wrote: > > On Thu, Feb 17, 2022 at 10:01 AM syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: c5d9ae265b10 Merge tag 'for-linus' of git://git.kernel.org.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=132e687c700000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a78b064590b9f912 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=1e3ea63db39f2b4440e0 > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+1e3ea63db39f2b4440e0@syzkaller.appspotmail.com > > > > > > WARNING: CPU: 1 PID: 10828 at drivers/vhost/vhost.c:715 vhost_dev_cleanup+0x8b8/0xbc0 drivers/vhost/vhost.c:715 > > > Modules linked in: > > > CPU: 0 PID: 10828 Comm: syz-executor.0 Not tainted 5.17.0-rc4-syzkaller-00051-gc5d9ae265b10 #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > > RIP: 0010:vhost_dev_cleanup+0x8b8/0xbc0 drivers/vhost/vhost.c:715 > > > > Probably a hint that we are missing a flush. > > > > Looking at vhost_vsock_stop() that is called by vhost_vsock_dev_release(): > > > > static int vhost_vsock_stop(struct vhost_vsock *vsock) > > { > > size_t i; > > int ret; > > > > mutex_lock(&vsock->dev.mutex); > > > > ret = vhost_dev_check_owner(&vsock->dev); > > if (ret) > > goto err; > > > > Where it could fail so the device is not actually stopped. > > > > I wonder if this is something related. > > > > Thanks > > > But then if that is not the owner then no work should be running, right? Could it be a buggy user space that passes the fd to another process and changes the owner just before the mutex_lock() above? Thanks > > > > > > > Code: c7 85 90 01 00 00 00 00 00 00 e8 53 6e a2 fa 48 89 ef 48 83 c4 20 5b 5d 41 5c 41 5d 41 5e 41 5f e9 7d d6 ff ff e8 38 6e a2 fa <0f> 0b e9 46 ff ff ff 48 8b 7c 24 10 e8 87 00 ea fa e9 75 f7 ff ff > > > RSP: 0018:ffffc9000fe6fa18 EFLAGS: 00010293 > > > RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 > > > RDX: ffff888021b63a00 RSI: ffffffff86d66fe8 RDI: ffff88801cc200b0 > > > RBP: ffff88801cc20000 R08: 0000000000000001 R09: 0000000000000001 > > > R10: ffffffff817f1e08 R11: 0000000000000000 R12: ffff88801cc200d0 > > > R13: ffff88801cc20120 R14: ffff88801cc200d0 R15: 0000000000000002 > > > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 0000001b2de25000 CR3: 000000004c9cd000 CR4: 00000000003506f0 > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > Call Trace: > > > > > > vhost_vsock_dev_release+0x36e/0x4b0 drivers/vhost/vsock.c:771 > > > __fput+0x286/0x9f0 fs/file_table.c:313 > > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > > exit_task_work include/linux/task_work.h:32 [inline] > > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > > get_signal+0x45a/0x2490 kernel/signal.c:2863 > > > arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 > > > handle_signal_work kernel/entry/common.c:148 [inline] > > > exit_to_user_mode_loop kernel/entry/common.c:172 [inline] > > > exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 > > > __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] > > > syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 > > > do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 > > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > RIP: 0033:0x7f4027a46481 > > > Code: Unable to access opcode bytes at RIP 0x7f4027a46457. > > > RSP: 002b:00007f402808ba68 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 > > > RAX: fffffffffffffffc RBX: 00007f402622e700 RCX: 00007f4027a46481 > > > RDX: 00007f402622e9d0 RSI: 00007f402622e2f0 RDI: 00000000003d0f00 > > > RBP: 00007f402808bcb0 R08: 00007f402622e700 R09: 00007f402622e700 > > > R10: 00007f402622e9d0 R11: 0000000000000206 R12: 00007f402808bb1e > > > R13: 00007f402808bb1f R14: 00007f402622e300 R15: 0000000000022000 > > > > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > >