From nobody Mon Feb  9 04:56:24 2026
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58E842F8BD0
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 08:15:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769760932; cv=none;
 b=L8dHZOx00DxBVtbkeQ6xBPdPFGKRc9sm/FRWXPJ1ViOo7BDVLItBvVUPwJNSMFYGAOEnDIhPEQ1YNjDFmDtrrpTeYxKcoGdgD6hgGZkg5IZofA2vxDH3r7DPiaJkA9bpxwQBkXL0qLOALAWmEi0oTK9yVnqo/3KBAwcrDjENQRs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769760932; c=relaxed/simple;
	bh=1GAiVzzvPMQjKqXjbaFyyP9Rjcoo8cli6yAZplPoREQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gv2OSSbqNqQ/8JRVm8lnjNKIoUI9rvVawFVIPRxF847KI2sA+l2Ds4MYxZTI3F80KFw6cipBvMTGoQP/x2mXi2ZwcWPyaKZO8zz8DNs658XZNM+vvA0Kx0/k5DJzSIcLOFyl8iBb8xLVonLUYY9RmPhaVf8q0Fwz8E9uS+60TH0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=JU2hbFph; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="JU2hbFph"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2a79998d35aso12047915ad.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 00:15:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1769760930; x=1770365730;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=yncUN3Qjv0HcR5KwYrZuFrp8cFkPuWRQ2BfDlpVR3ps=;
        b=JU2hbFphXQMgU2nk3+1GNM2Ed/t+Ia0M/i2C9v6nGnmZq3OOfjapuiCtPrOl6fErKp
         Ttr+fgQugLGQR0mTT8t1QAT8yJdtI3F9QWU3m6rd3nKVmxHWGwqtn2ear5BcdK+L2DN0
         +xZaN7SSQFPORdSZfmKgOdQ3pBYe/8/1LbjYdb2QR4nI6bp3tMpW55ZmENiNy6KrRLuy
         ucX+iAb47379KXssD58RLfG5nO+c8Nfua1xZ7qfg/gSOjbeCCbBsWz0ukMZJWkgR2+ly
         7JDQH6SgxEpatj8/WT6inmpmoUF2qWee+rJUG34nQtn0BlTR7PpchwXG2izDJ22F30o6
         B4ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769760930; x=1770365730;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yncUN3Qjv0HcR5KwYrZuFrp8cFkPuWRQ2BfDlpVR3ps=;
        b=LMUMhDpIwv4Nonlt1U7Ggn9y1JOQIEVGWpY1UJd20D5JhWKF8uedDN5BgLjUM3bDG/
         JxM7rpSUWXpO83LPv+tQkkCxRxV6XyzqxEM1JvxwDlrphZ1Gi7dyzspX8DIYK1syHieK
         h+9oulKqLwdLW29hM7O/hQb0x+wQ1Xk+0t65EIzPSd3kkfQVzx1RLEEs7XbR28olY4UD
         x4uaQI7i7l6xS0iS0l60lNz38459ERSpPCFV8aFkBP5ApB78RDBMQ+oMALyiie8RDTbS
         8GnT+mKIaZk2Xznpv6Lk190Dv90e3YnAl0XxTEnFTLEPyJ1KKB3qNkXDg0Vgq8pZKnzR
         othA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXHuZt45/suP+ofSl4dIxqPyqqSswXoYSN6b/cwdI4Q0FHyg766NC3jUo2ACReQrDo3D/RuKXVV3+pvkOU=@vger.kernel.org
X-Gm-Message-State: AOJu0YyLYxyMZpSJWpRKrBf0sntscMPrymc+oK0fp9A8FKxbuwsheytG
	70E0ZlXHOtXnKQIhBcRi44Jmw/jNk2WWhkrlwS8kZ3/DELMKLQzbatazpkcDT0JZ9Ss=
X-Gm-Gg: AZuq6aL7V3Tg4AnHxy7JFNATz9XPjXnYJ4+/6ur01Bjv90iM9/1+LYzzBk+sE2gYjAh
	cY4Ku21fTiBqfpnP7dm5ldLIVeQ93+YLmIXPBvRvzXNirN2I/QBEHZl5Qyk4PEymgjSFmZT9Ade
	sVrqOhInlUkSf8ZlgG3aLZ1vYd4zInGFRr2Ga4v9RR7dnV1DD/dC8yP1NLEnYnqjti4ORzTShAp
	OAk8YjqjgAAiJc5yxpcVR4BNRU0xSkdUgnNKtQ5xfxD86faVlV5q9YplxJaYRb2KS69Gi+qBVSz
	4s74rALWcc8EZVx0Qywbm6pBuAcM0NBeWyJ7GaDSfrUgG5DkshSX92zcCwIcELREXXogaNMjM6v
	grKr2vo6Z62aFxtcfR47DLOlsxsNcJwc67nUQECQmgF7BvshUYIWrFmjcnvJ3FazwfXq55OG4Ix
	BwOC1FvY8HkSAZcpjmVp0McWxr2Qpz5PSAwOYgmUTyAa1R0x+fghFPOQQ=
X-Received: by 2002:a17:902:f64e:b0:2a8:a133:dfed with SMTP id
 d9443c01a7336-2a8d9a5b280mr19239595ad.55.1769760929668;
        Fri, 30 Jan 2026 00:15:29 -0800 (PST)
Received: from tianci-mac.bytedance.net ([61.213.176.6])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a88b5d99eesm68997225ad.78.2026.01.30.00.15.27
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Fri, 30 Jan 2026 00:15:29 -0800 (PST)
From: Zhang Tianci <zhangtianci.1997@bytedance.com>
To: mst@redhat.com,
	jasowang@redhat.com
Cc: xuanzhuo@linux.alibaba.com,
	eperezma@redhat.com,
	marco.crivellari@suse.com,
	anders.roxell@linaro.org,
	virtualization@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Zhang Tianci <zhangtianci.1997@bytedance.com>,
	Xie Yongji <xieyongji@bytedance.com>
Subject: [PATCH] vduse: Fix msg list race in vduse_dev_read_iter
Date: Fri, 30 Jan 2026 16:15:24 +0800
Message-ID: <20260130081524.81271-1-zhangtianci.1997@bytedance.com>
X-Mailer: git-send-email 2.48.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Move the message to recv_list before dropping msg_lock and copying the
request to userspace, avoiding a transient unlinked state that can race
with the msg_sync timeout path. Roll back to send_list on copy failures.

Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd=
use_dev.c
index ae357d014564c..b6a558341c06c 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -325,6 +325,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, =
struct iov_iter *to)
 	struct file *file =3D iocb->ki_filp;
 	struct vduse_dev *dev =3D file->private_data;
 	struct vduse_dev_msg *msg;
+	struct vduse_dev_request req;
 	int size =3D sizeof(struct vduse_dev_request);
 	ssize_t ret;
=20
@@ -339,7 +340,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, =
struct iov_iter *to)
=20
 		ret =3D -EAGAIN;
 		if (file->f_flags & O_NONBLOCK)
-			goto unlock;
+			break;
=20
 		spin_unlock(&dev->msg_lock);
 		ret =3D wait_event_interruptible_exclusive(dev->waitq,
@@ -349,17 +350,30 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb=
, struct iov_iter *to)
=20
 		spin_lock(&dev->msg_lock);
 	}
+	if (!msg) {
+		spin_unlock(&dev->msg_lock);
+		return ret;
+	}
+
+	memcpy(&req, &msg->req, sizeof(req));
+	/*
+	 * Move @msg to recv_list before dropping msg_lock.
+	 * This avoids a window where @msg is detached from any list and
+	 * vduse_dev_msg_sync() timeout path may operate on an unlinked node.
+	 */
+	vduse_enqueue_msg(&dev->recv_list, msg);
 	spin_unlock(&dev->msg_lock);
-	ret =3D copy_to_iter(&msg->req, size, to);
-	spin_lock(&dev->msg_lock);
+
+	ret =3D copy_to_iter(&req, size, to);
 	if (ret !=3D size) {
+		spin_lock(&dev->msg_lock);
+		/* Roll back: move msg back to send_list if still pending. */
+		msg =3D vduse_find_msg(&dev->recv_list, req.request_id);
+		if (msg)
+			vduse_enqueue_msg(&dev->send_list, msg);
+		spin_unlock(&dev->msg_lock);
 		ret =3D -EFAULT;
-		vduse_enqueue_msg(&dev->send_list, msg);
-		goto unlock;
 	}
-	vduse_enqueue_msg(&dev->recv_list, msg);
-unlock:
-	spin_unlock(&dev->msg_lock);
=20
 	return ret;
 }
--=20
2.39.5