Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5317071rwd; Mon, 5 Jun 2023 01:34:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7pbQhDN/lU3zySKfLBBrpMCB5J59bdb8ZY9HG3DhHjEqOW1pkkcQxZg6Yu43Pdk83hdT+v X-Received: by 2002:a17:902:ac98:b0:1b0:2658:daf7 with SMTP id h24-20020a170902ac9800b001b02658daf7mr2369368plr.36.1685954094021; Mon, 05 Jun 2023 01:34:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685954094; cv=none; d=google.com; s=arc-20160816; b=UL6IkzRClYToce37R2d33hz8bkjAVuC8Qwt68GdZH19s2saJ7uCtB1xb+/eM7suKz7 5+InoM4i6ZGXvOxZYDeAk5yhn+BALKYwcv+K40EAe/0h54sN+8pqK+/nTqDKjFPKCzYe pjS4qKnxlamcgUBCk7+tqgkpTCkCIv72vMLe5S62dk6eASK6OCftOo86aEpby5+EtL7d NkXg1RYATzrwQPNBxKiy3log5RVpn3L24IzfzuXmXDV5o0dmbl/GOpj/4gNaC+ZGg6tM 7d6iDd3L7t2ip1Eim7EJZsOmAGB3q77dbGHyJNRcf+gud4WFb9LG/6+Mi1drxAklpDI1 qJQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=J8at3jyLYspjW7I0pCXUj/ZCT3YmM7eGZSNtKBL6MtI=; b=fpU6+PSbETZceuM/qy1n2wx0gIZP6TNkhxS30q2E3KEzo/VlQ9C95Jf4Yn1XRLJj/A o5Q3mscwWu+U0Sy0vGeOItNol/ms9X90XlAz0TBzFWNqYwCxPKmgh2n0lJcTV/4TFfvF GNQgbPABZxMcIr86Pd8VzS00eHTK0K6e+DpHH4VSuvWZsCOLlrMF5i9skqk9/2kvmasy +FjomXGJki6DadxrbuWyyN0wfs+bXfA80y6n7dxMWJw3w2Ufil2YjWT0oXWaHjn/U0v0 naIG2pQ3zg5Cp5pbDMVeD16Yjp3uY8XgCMd9o9DhsMUExxmKqZOQvACcs+A3iXMaAr7s ZHCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bGhOxUg0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e1-20020a170902d38100b001ae5eb838easi4938617pld.292.2023.06.05.01.34.39; Mon, 05 Jun 2023 01:34:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bGhOxUg0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229840AbjFEI1t (ORCPT + 99 others); Mon, 5 Jun 2023 04:27:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229604AbjFEI1p (ORCPT ); Mon, 5 Jun 2023 04:27:45 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E844B0 for ; Mon, 5 Jun 2023 01:27:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685953619; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J8at3jyLYspjW7I0pCXUj/ZCT3YmM7eGZSNtKBL6MtI=; b=bGhOxUg0VJgchxJBdQEul7aVE3Gv5vM0TeFCm5W6cXFtGWvfboLkbx0AEm5HgzOPbtnQHf GNckHUTRQoSmWK3bgHC2AVvGikJc6wqtRiA5qgPIzBajMbU+N9MWMqPf6vYI4JiHEPVopC KkP62djVAYlC7c2LFMo8uyQDiyoH/M8= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-399-g0HP4XIfMnOR2TrvUjwBaQ-1; Mon, 05 Jun 2023 04:26:58 -0400 X-MC-Unique: g0HP4XIfMnOR2TrvUjwBaQ-1 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-3f736116989so6440425e9.1 for ; Mon, 05 Jun 2023 01:26:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685953617; x=1688545617; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=J8at3jyLYspjW7I0pCXUj/ZCT3YmM7eGZSNtKBL6MtI=; b=BqN0+lHwWlIr8n5yUrEmrcFcMAKIfh6tzOkeamSThOh61StVd3KG8s7+DqNCMF7C33 GGrULsrwBs/iX9kIT0Vii96mrB1KnNyc8NvSz7GIksIO7B5yLb2rtt3goYmdGUTc1uUn MLamgFoQke5yEFnNmgd+b6EnNumArzx9BugxzcktL0NbYJGZcxJXO/OAs1OW6JEnG6I5 xMWvKXY9EOQgHvwKUL8epHviT5o5LGdSbzZhZr0vy8p0IhJJ85MlEkP10YP2nEddyrc7 GXwa2RzJE/PKAK6UiGmvV3J/QM95f1S28HmoeJs/JQlA5dmKmQPnjs4a/LJDtvGftC2Z vpUA== X-Gm-Message-State: AC+VfDzi662IcUcch/IkWziHZ2IHywlECSw0nHpn0huwDopvBgP+Frmr +ruLe8LO0Hf3lvnjbwaUIqwfBr1ymSJ5JbsIYsPC0jPWpD1529Wwyspn6pUiIq6uJ4Ou7baL/lc KXlvJ85nQa/iybdKU+Up71XG2 X-Received: by 2002:a05:600c:1d98:b0:3f7:367a:38cb with SMTP id p24-20020a05600c1d9800b003f7367a38cbmr3232789wms.2.1685953617682; Mon, 05 Jun 2023 01:26:57 -0700 (PDT) X-Received: by 2002:a05:600c:1d98:b0:3f7:367a:38cb with SMTP id p24-20020a05600c1d9800b003f7367a38cbmr3232772wms.2.1685953617428; Mon, 05 Jun 2023 01:26:57 -0700 (PDT) Received: from sgarzare-redhat ([5.77.94.106]) by smtp.gmail.com with ESMTPSA id y5-20020adfd085000000b003095bd71159sm9123063wrh.7.2023.06.05.01.26.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jun 2023 01:26:56 -0700 (PDT) Date: Mon, 5 Jun 2023 10:26:54 +0200 From: Stefano Garzarella To: Mike Christie Cc: "Michael S. Tsirkin" , syzbot , jasowang@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, virtualization@lists.linux-foundation.org, stefanha@redhat.com Subject: Re: [syzbot] [kvm?] [net?] [virt?] general protection fault in vhost_work_queue Message-ID: <4rqrebfglyif4d7i4ufdnj2uqnubvljkeciqmelvotti5iu5ja@fryxznjicgn6> References: <6p7pi6mf3db3gp3xqarap4uzrgwlzqiz7wgg5kn2ep7hvrw5pg@wxowhbw4e7w7> <035e3423-c003-3de9-0805-2091b9efb45d@oracle.com> <43f67549-fe4d-e3ca-fbb0-33bea6e2b534@oracle.com> <7vk2uizpmf4fi54tmmopnbwwb7fs2xg6vae6ynrcvs26hjmshb@hpjzu4jfj35i> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 01, 2023 at 11:33:09AM -0500, Mike Christie wrote: >On 6/1/23 2:47 AM, Stefano Garzarella wrote: >>> >>> static void vhost_worker_free(struct vhost_dev *dev) >>> { >>> -??? struct vhost_worker *worker = dev->worker; >>> +??? struct vhost_task *vtsk = READ_ONCE(dev->worker.vtsk); >>> >>> -??? if (!worker) >>> +??? if (!vtsk) >>> ??????? return; >>> >>> -??? dev->worker = NULL; >>> -??? WARN_ON(!llist_empty(&worker->work_list)); >>> -??? vhost_task_stop(worker->vtsk); >>> -??? kfree(worker); >>> +??? vhost_task_stop(vtsk); >>> +??? WARN_ON(!llist_empty(&dev->worker.work_list)); >>> +??? WRITE_ONCE(dev->worker.vtsk, NULL); >> >> The patch LGTM, I just wonder if we should set dev->worker to zero here, > >We might want to just set kcov_handle to zero for now. > >In 6.3 and older, I think we could do: > >1. vhost_dev_set_owner could successfully set dev->worker. >2. vhost_transport_send_pkt runs vhost_work_queue and sees worker >is set and adds the vhost_work to the work_list. >3. vhost_dev_set_owner fails in vhost_attach_cgroups, so we stop >the worker before the work can be run and set worker to NULL. >4. We clear kcov_handle and return. > >We leave the work on the work_list. > >5. Userspace can then retry vhost_dev_set_owner. If that works, then the >work gets executed ok eventually. > >OR > >Userspace can just close the device. vhost_vsock_dev_release would >eventually call vhost_dev_cleanup (vhost_dev_flush won't see a worker >so will just return), and that will hit the WARN_ON but we would >proceed ok. > >If I do a memset of the worker, then if userspace were to retry >VHOST_SET_OWNER, we would lose the queued work since the work_list would >get zero'd. I think it's unlikely this ever happens, but you know best >so let me know if this a real issue. > I don't think it's a problem, though, you're right, we could hide the warning and thus future bugs, better as you proposed. Thanks, Stefano