Received-SPF: pass (google.com: domain of linux-kernel+bounces-165523-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Message-ID: <6971427a-d3ab-41c8-b34b-be84a594e40b@oracle.com>
Date: Wed, 1 May 2024 10:57:38 -0500
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH next] vhost_task: after freeing vhost_task it should not
 be accessed in vhost_task_fn
To: Hillf Danton <hdanton@sina.com>, "Michael S. Tsirkin" <mst@redhat.com>
Cc: Edward Adam Davis <eadavis@qq.com>,
        syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com,
        jasowang@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        virtualization@lists.linux.dev
References: <b959b82a-510f-45c0-9e06-acf526c2f4a1@oracle.com>
 <20240501001544.1606-1-hdanton@sina.com>
 <20240501075057.1670-1-hdanton@sina.com>
Content-Language: en-US
From: Mike Christie <michael.christie@oracle.com>
In-Reply-To: <20240501075057.1670-1-hdanton@sina.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?R2pPQ1NTYnRWbE1qMTF4K25uTjBtS05vMUVvQlRPQm9PbUF1NmJlSFMyd1RR?=
 =?utf-8?B?MVBTbmVRc1VGRmw3SlhWMlNKbTU5d1lheDlyOWlGbVkzOHpQQlpYenNXMmpU?=
 =?utf-8?B?c3pnQ2tvenBpS2FaM0VHR21iZmtvV3VKMy9NN1UvUDZxbnZGRGMwODZwTStr?=
 =?utf-8?B?SC96dEhWNEpKc2pFNVdiWHpmYnJxVXYvMzh6aGpYeHdDWHBxKzdUc1I4dzRV?=
 =?utf-8?B?dUd1bGduZEhYOE9xWDJSeHJsYTNXZ1hFSGpmU1RpQ2Z1WGNzOXNaSWpmUXJp?=
 =?utf-8?B?Znk2emtIYmRsaVZmcW1jVW9kV3d2TkFLNkMvTExqSlorVFQ1S2poMlJVQU5q?=
 =?utf-8?B?NFM5NXRxbGRUYWt6WUF6blN3eVNKZ3FwQVNzWnZVNURlV3lyZHd2djVaSitE?=
 =?utf-8?B?SmhkTjVWNldUYkc0SEpWOVJGbkhIanJSNGVJUnIvZUtGYTdONVBLZVdtS0Fp?=
 =?utf-8?B?N3ZUS3QzWnFoUU1uWXJpMVpwSGhNdFMyY2xydno4UDNnS1VRaHp3OGphZ0Ew?=
 =?utf-8?B?YnVoSWFST0VhR0lPRktIT2JhZ0N2TTBCVFdDTU03SnlxL2NJZVRaOHd2UlVD?=
 =?utf-8?B?bEtSNkJDSDAyTVJFejQ5Q3VQTzk2M05RMm9vSlVHdnA3cXd1RE1qcWFyYVhq?=
 =?utf-8?B?enNEOHZockpxS0k4dllpQkNqZk9XQUpJaDk5bnl6MUdhc29KbXRoUE1kRmhk?=
 =?utf-8?B?Z3hJYUhaWTdwMm1EN3Q1d0ExcTJiSHU3cW02ZVU0cXV2OFZMM2pPL1JGbk5a?=
 =?utf-8?B?RFJCYndkMi9vV1d4NkthblllcStDWjBpSU5MbDlhSW5TcllhZWcvQXV6MUJ5?=
 =?utf-8?B?OC9OUkJyUFlWK3hnZkpCeDFIcjBacENmRnI1Q3d0dUtqS0svRzdjRm1CdnVB?=
 =?utf-8?B?MlV4aGlWZ1prNnJjLzZtVU5qUllzMEJSYXFGY3Jkak1KOUpWNHZhcVd2ZFdq?=
 =?utf-8?B?MjFWRTA0TU1vam9OYjRuY2xjSTZuT000dGhDWUttTVFYa25ITkx2RXIrQnJU?=
 =?utf-8?B?TEVqWlpyV1Nlem9WUWRFaTJjaGtRQnlXR29UNFZDT2M5NkVldEpFRGpTRDVE?=
 =?utf-8?B?Tkh4c2JHSXE1dXF0Q1FFQjZIMXVhNW1QZmJmSktmMEJOQnFqN1hBTXREVXZt?=
 =?utf-8?B?K3QyOTg0S25wbFhCcm1DcThzZGgyTGlvREkwT1NDcFZiYTFscGtVRzVwZWRG?=
 =?utf-8?B?NWpFRlpTZ2ZYTmNOWUd6NHVoVkZVYzl0TEFVSkJFa01tYkY4VVg5bk4wd0kz?=
 =?utf-8?B?R3NVMXBDMzJrejJwaExBU0NTQ2VqTEd6TmpEZzFQRXFkZWZCc2krUnZ3S2xF?=
 =?utf-8?B?dkJoUWx6eUFiNWdscVJYcURMS0luYjNIbENPb3dNc002R2w3dmZ3R2pRRERo?=
 =?utf-8?B?d3VwMy9ycDhGeTN2MEp4WSsybWNKMkJNYm04Sm4ycnVWNWRPczF6YlpHY2J6?=
 =?utf-8?B?RDJpS2U1SHpucHB4bXVCMlYyMjYweDdZT3FYK0lraHBvNEVMNERZZXRCYUcr?=
 =?utf-8?B?VjU0Y3FXd2YvWEpsNGZ3Y3JUVGZxb0ZTQlR0Y25GenB5dXJ3eFZWWW9QZy9v?=
 =?utf-8?B?UW1oZTBoVkFGOExCb1JBbHB1TkZTdWR2Qkx1RWgwQXVzWGxleEE4RmtoSTlU?=
 =?utf-8?B?dGYxQmpRcVUzRmhIc1JRQWsvRUFQb2xCK25jUmFrYWdLQzVTQ3Q2ZVozUW9E?=
 =?utf-8?B?Sm1GOTZQa3pLRUYwL3hFYllYMFJ2WWovOHR6TXQ1U3p0UzgyaG9iNFF5QzR3?=
 =?utf-8?B?Y3NFcmNnaXgzaXZkNmMyN2NuTDYxKy82YWtscHIyalpKaEp3Vm1Fc0FrUm4r?=
 =?utf-8?B?TWdjK1BxOWRjdHRHeExMbDdqclFXamxWM2dYc1FtYTliaTk5V3ZkbkhkY2Uz?=
 =?utf-8?B?bGdnUndWcUhadEZPaVNZSHQ0MmxscjlsdU9pMWdPMHBPSFFMamIwQWNheEk4?=
 =?utf-8?B?clRYM3ZFYVB0N0N0TnJHTDVkc1BBQkRZa2dabGpSNERwRTFCSVpkSVAxQTY2?=
 =?utf-8?B?S3hLNHdLbEhhRDlWM01TSGJTeTdlTHArL3VwQlpNdHYycXh2cGc2bUZVV0NO?=
 =?utf-8?B?WG5JdlZjZ2k4bDJ0RHBZdXovcUZvQXJGRHlPcjI4TTVMMk41RWRlQmZNMmJJ?=
 =?utf-8?B?ekdDNmxsTi81djJRRWNjVGJFbEhwU2lFL3pCQzc2Y2pnc2ZNU0tDQzZvSlpZ?=
 =?utf-8?B?dkE9PQ==?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 
	U0AjEh6aAb3spnhU1RxfxTEyMJWqsHUfuh7J/O+p6PJ1slrj2dG0k/ZGkTNcp67gEB5ZTT46dtcoDWmZR2C7ynENW67Zd3jdc4FSqZUa7atRUCE5uGqFbAoHFfv/kgamV33nWzSkUAWpv61A1D3qkjKGvBGj9vJ0xDjY1uCYSlLihC9PmoP5ew/Eg/I/sc4sa1ochkXSV4m8Gr3CrdEWzbWtEv5o+BkXnRqm3SMuSt3xjqc7vaToU5HaLUW2y9nwN+j2XDYErPArJaFxvytAVUq7awh2YVlw0FJI2+jiKkXJ0GA1ak+ns2uy+Qq1KvRK+2eK1NcmqC6khLMoKYYfsFTikZS1GjJM1xo4Ao5c+Oc+OO0+dJRMF8UBzyWzaaIHvBhkYPJER/glf5ncPvXZWYFSgWSQRbyJ+EsUYXWZYQrYg9dZ76HD5kYcszDASTwKiCDLB3JJ0rmvT+F3RJVavGcEWmw4v2MEWdzI7XnVdLeBt4sS69XN0blcaN8iEE/Hl83EYzmmG3sd70hocvSOQ6ly5S8or61/JZ6tlefhsk80IzrbugovLBSYZQG3XWj2uCUGnxkkHuXKME5+oAZ1GGcMiV7Oe/OI7soW54V6/os=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e48222c-c692-40ca-b059-08dc69f76de1
X-MS-Exchange-CrossTenant-AuthSource: CY8PR10MB7243.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 May 2024 15:57:40.2857
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 0MxjeYJcSFDbYFwBELZgfZaumc26cy8EC7obiNjmXnTnLk18SsnC05JqGmLCP9NW1YLzFCaVKxYFEUMfTIt9bXMBS3tQdQyalp3uw1jQTMc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR10MB7338
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1011,Hydra:6.0.650,FMLib:17.11.176.26
 definitions=2024-05-01_16,2024-04-30_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 adultscore=0
 phishscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2404010000
 definitions=main-2405010113
X-Proofpoint-GUID: yzBd8FuK229K2A1YmS1YEM6RiOF_mCy_
X-Proofpoint-ORIG-GUID: yzBd8FuK229K2A1YmS1YEM6RiOF_mCy_

On 5/1/24 2:50 AM, Hillf Danton wrote:
> On Wed, 1 May 2024 02:01:20 -0400 Michael S. Tsirkin <mst@redhat.com>
>>
>> and then it failed testing.
>>
> So did my patch [1] but then the reason was spotted [2,3]
> 
> [1] https://lore.kernel.org/lkml/20240430110209.4310-1-hdanton@sina.com/
> [2] https://lore.kernel.org/lkml/20240430225005.4368-1-hdanton@sina.com/
> [3] https://lore.kernel.org/lkml/000000000000a7f8470617589ff2@google.com/

Just to make sure I understand the conclusion.

Edward's patch that just swaps the order of the calls:

https://lore.kernel.org/lkml/tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com/

fixes the UAF. I tested the same in my setup. However, when you guys tested it
with sysbot, it also triggered a softirq/RCU warning.

The softirq/RCU part of the issue is fixed with this commit:

https://lore.kernel.org/all/20240427102808.29356-1-qiang.zhang1211@gmail.com/

commit 1dd1eff161bd55968d3d46bc36def62d71fb4785
Author: Zqiang <qiang.zhang1211@gmail.com>
Date:   Sat Apr 27 18:28:08 2024 +0800

    softirq: Fix suspicious RCU usage in __do_softirq()

The problem was that I was testing with -next master which has that patch.
It looks like you guys were testing against bb7a2467e6be which didn't have
the patch, and so that's why you guys still hit the softirq/RCU issue. Later
when you added that patch to your patch, it worked with syzbot.

So is it safe to assume that the softirq/RCU patch above will be upstream
when the vhost changes go in or is there a tag I need to add to my patches?