Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp353092pxb; Thu, 17 Feb 2022 05:41:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJxsoJ+PM8EGLIwFpjv2joyIjqplKusdbWLnMRNYu8vU03mxqHWVPBAeWNkBU1Maqc9wEI29 X-Received: by 2002:a17:906:9f06:b0:6ce:36da:8247 with SMTP id fy6-20020a1709069f0600b006ce36da8247mr2426373ejc.651.1645105286819; Thu, 17 Feb 2022 05:41:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645105286; cv=none; d=google.com; s=arc-20160816; b=f2rxAW94iV++BZ5N4uo3WZ5uBK21pwB/mVnfOmjmcGgDx6EjVA36F/wpp02tRqulSp 3A+0dCcgSX0NyiIoxpJ/J1YwfkhH7fZ0ISMJtKP6ekkwT60fpPWp6xXnUucG5t0Q9TRm Nw+OHGA3LZe8hNQ7UaPya9grF1MJGjXcPAGqK4H4+XX4/0Ljnlf9LlY5qbd+Gn/xaGaP 3pFMmn4aDgaB4QrCcTkHLz1oWru9KHKzNnWV++usCcWWBnuvQNKzaHYusIMgGtkg/YDf n4XsTQPAXsfp1qVWuo4mLZt/txO4YbnzChtg+FLEBYghbsGS6FIbSfZ2rSqI77RD6nQF rzrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Xxe0ytJzju6g3/HrW8yGRlI4FlDzlNM0zVQgVVP7siY=; b=Azp/htF0gCdJFx8MsAmGs4VHnx4iNmKdJUSWo7oINhKGxJRL8n/Cj25Dbo5QiGaPH8 PkTtWduZfMsv/HnJjVNnNJnGprIIudv2r9oyEPXE+u2fMqlOnERv45uvaZz9xlfbLA7E +Mlo7HYAJPJ6SEP1ZjnfrgdjSH0BJzRqzkRzC0LnCr5tu5UeGCFdzfQwXB8COFsnT7dJ Pl69LgmUabHio+PW2BsEiHmiSEtTKSDzNLdAZPfg5Ceo/DVU7mIfOZ4KIlWOOs/tgxUN IGOUNrgBztQtTqac2rL7ex+fV3cLsDoczIQevhc8z1OtTlF3CfAWSmZDij5/9ht0geHE izoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SSjaqnOG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qw21si2330226ejc.478.2022.02.17.05.41.03; Thu, 17 Feb 2022 05:41:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=SSjaqnOG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238831AbiBQJsq (ORCPT + 99 others); Thu, 17 Feb 2022 04:48:46 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:33446 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238808AbiBQJsn (ORCPT ); Thu, 17 Feb 2022 04:48:43 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BA92417AAD for ; Thu, 17 Feb 2022 01:48:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645091308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Xxe0ytJzju6g3/HrW8yGRlI4FlDzlNM0zVQgVVP7siY=; b=SSjaqnOGtQgIpq23m6U7e+ztk+zYaB5KIOo8HDOybLH9ji9Uwg/ZLb9/ps+KmDcDsE+KTX frZbb8ndgTw9z3bPnPdK4GM/t5ruVVM4hSCPEXo8ZBeqK+jqz1HSzgUsSKV3ie9Da3v+gw WtiB1LblXDWElYU6Peq/RQjCwJBiMVI= Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-612-JN3kDSORMRCFUu92xV582g-1; Thu, 17 Feb 2022 04:48:27 -0500 X-MC-Unique: JN3kDSORMRCFUu92xV582g-1 Received: by mail-qv1-f69.google.com with SMTP id w14-20020a0cfc4e000000b0042c1ac91249so4728448qvp.4 for ; Thu, 17 Feb 2022 01:48:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Xxe0ytJzju6g3/HrW8yGRlI4FlDzlNM0zVQgVVP7siY=; b=tKmSWOQVuPy9q9ZrUp7eFKfKGlhndwLRodK1Vexuere+fvOZCZ2z/E07Ye0IMlVgWe CXjoPQBtioS/D+TONO8+dd7vfj2aRC+0snLN08LOpjtf0wv9wBRuLCjBxtKVFHbSAfJ1 POqPvfgN+yXFvnTz+O33OKblBQbWyaVGEyOLa5OzyfpFPWfu/Es2M2VVAix0KpTMrePy A49b1Enb2MtVdXYS5zLuXbgtoLRc9Fd3YqJ53x4xGyJg0tZmeTU+yXiwFHO1iM04cVal DdNPRg9NOaKFjjSNzk45Z9QgRZ1/P+5nv+kH54PFXHQz8JQ8UfSNWkL6MaHjmd7I7FjV N8zA== X-Gm-Message-State: AOAM532bkPVsEAVQNwD2GvLZrPMT+ZuC/ne1eRTLfpJPPTYjOr4zGDya YP9io8UtMTJRSvX/Xtd/AyWh8Ig5y/mo8tFnULjiJAujJNyry7MtPGn1nKtel7i68SvCPe/oD1h oBQTZw1TfTeDTAO6KwvlEq7sw X-Received: by 2002:ac8:57cc:0:b0:2cf:51a9:df93 with SMTP id w12-20020ac857cc000000b002cf51a9df93mr1616156qta.166.1645091307079; Thu, 17 Feb 2022 01:48:27 -0800 (PST) X-Received: by 2002:ac8:57cc:0:b0:2cf:51a9:df93 with SMTP id w12-20020ac857cc000000b002cf51a9df93mr1616146qta.166.1645091306827; Thu, 17 Feb 2022 01:48:26 -0800 (PST) Received: from sgarzare-redhat (host-95-248-229-156.retail.telecomitalia.it. [95.248.229.156]) by smtp.gmail.com with ESMTPSA id k4sm22499788qta.6.2022.02.17.01.48.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 01:48:26 -0800 (PST) Date: Thu, 17 Feb 2022 10:48:18 +0100 From: Stefano Garzarella To: "Michael S. Tsirkin" Cc: Jason Wang , syzbot , kvm , linux-kernel , netdev , syzkaller-bugs@googlegroups.com, virtualization , Stefan Hajnoczi Subject: Re: [syzbot] WARNING in vhost_dev_cleanup (2) Message-ID: References: <0000000000006f656005d82d24e2@google.com> <20220217023550-mutt-send-email-mst@kernel.org> <20220217024359-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220217024359-mutt-send-email-mst@kernel.org> X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 17, 2022 at 8:50 AM Michael S. Tsirkin wrote: > > On Thu, Feb 17, 2022 at 03:39:48PM +0800, Jason Wang wrote: > > On Thu, Feb 17, 2022 at 3:36 PM Michael S. Tsirkin wrote: > > > > > > On Thu, Feb 17, 2022 at 03:34:13PM +0800, Jason Wang wrote: > > > > On Thu, Feb 17, 2022 at 10:01 AM syzbot > > > > wrote: > > > > > > > > > > Hello, > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > HEAD commit: c5d9ae265b10 Merge tag 'for-linus' of git://git.kernel.org.. > > > > > git tree: upstream > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=132e687c700000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=a78b064590b9f912 > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=1e3ea63db39f2b4440e0 > > > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > > > > > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > > Reported-by: syzbot+1e3ea63db39f2b4440e0@syzkaller.appspotmail.com > > > > > > > > > > WARNING: CPU: 1 PID: 10828 at drivers/vhost/vhost.c:715 vhost_dev_cleanup+0x8b8/0xbc0 drivers/vhost/vhost.c:715 > > > > > Modules linked in: > > > > > CPU: 0 PID: 10828 Comm: syz-executor.0 Not tainted 5.17.0-rc4-syzkaller-00051-gc5d9ae265b10 #0 > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > > > > RIP: 0010:vhost_dev_cleanup+0x8b8/0xbc0 drivers/vhost/vhost.c:715 > > > > > > > > Probably a hint that we are missing a flush. > > > > > > > > Looking at vhost_vsock_stop() that is called by vhost_vsock_dev_release(): > > > > > > > > static int vhost_vsock_stop(struct vhost_vsock *vsock) > > > > { > > > > size_t i; > > > > int ret; > > > > > > > > mutex_lock(&vsock->dev.mutex); > > > > > > > > ret = vhost_dev_check_owner(&vsock->dev); > > > > if (ret) > > > > goto err; > > > > > > > > Where it could fail so the device is not actually stopped. > > > > > > > > I wonder if this is something related. > > > > > > > > Thanks > > > > > > > > > But then if that is not the owner then no work should be running, right? > > > > Could it be a buggy user space that passes the fd to another process > > and changes the owner just before the mutex_lock() above? > > > > Thanks > > Maybe, but can you be a bit more explicit? what is the set of > conditions you see that can lead to this? I think the issue could be in the vhost_vsock_stop() as Jason mentioned, but not related to fd passing, but related to the do_exit() function. Looking the stack trace, we are in exit_task_work(), that is called after exit_mm(), so the vhost_dev_check_owner() can fail because current->mm should be NULL at that point. It seems the fput work is queued by fput_many() in a worker queue, and in some cases (maybe a lot of files opened?) the work is still queued when we enter in do_exit(). That said, I don't know if we can simply remove that check in vhost_vsock_stop(), or check if current->mm is NULL, to understand if the process is exiting. Stefano