From nobody Sat Feb 7 05:53:06 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0822228C84D for ; Mon, 2 Feb 2026 07:27:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770017239; cv=none; b=Buahjl3GC2V1o0Ux3Ndbgtu5JCRBdKIcNJbGGsBylXMXMpeJXlJpXvpiRMPLLH2cAVHXEy3kdMdK1wPejAyUD3GQeSgnjYotu/sWvHSC63ZFP6IlH1BT5E9phoJqggmYBTvZeHVoHeHAqmWPd8Q/dByT7eWwrCC/SkPJhOf1uCM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770017239; c=relaxed/simple; bh=uBDI6vCLVayNa9JEpUxQbP6AJj9VHRh0JPtcRkORuNQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=j/w/7cNgE6U026TAPkLm1iJSmqdiXRl4bUKvZTlBYd1+1+wbwGywjxovdlmMLXLUxxlRwe0NGck6qWd+BHsOrzowFhQ4ceQCUFBFsWllZpxqezqAE90Ybf5fEZipczcJ34f8tDu+c+3zNBiQKy2ccC2zwI0Lwm6oUMKNVKsNxss= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=ItH0tGco; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="ItH0tGco" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-81e8a9d521dso2305120b3a.2 for ; Sun, 01 Feb 2026 23:27:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1770017237; x=1770622037; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0M73OcDWXDbjnvZuhTobLpl4M5OeahGpDzSfF/B7/1g=; b=ItH0tGcoMswtfs23oj4hD1JikGFXkRVJAw/7m/Z48Zi38JO3AB1JzXI/8Qfno1VIA3 iB/uLQriHZUQexPcUWGizTN6iEMQW7AjK1VJt4VtTrLlZmoRa66YQI34CqMNv+87dGv6 RM+Dlg8Dd4FzUWi3KVm+8d/78FCUeoXPU94Z6lEAdEzw2rkzDL4rQl4GQavZMdgFgL4j uaisP9cWEzWI/CGOWsWJWbwtbgfRQfEkzsry4KK/pFarhi36J3aWoGYkb8eifSgjpu20 kuidU0F5s54rLh6vbdjs14nKjakGddbn4oYMTXh5tn7Fr6YMhFVkVb/YMmb9u57eVhBZ d4zQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770017237; x=1770622037; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0M73OcDWXDbjnvZuhTobLpl4M5OeahGpDzSfF/B7/1g=; b=CYE5gPXY6M5Mk1kD5Y0yH/Fl3v+F1+Ehj2PZBuF8gEJZFpHVMVx/UZ/ym0RmQEd5UP a78NljZGpjeOhzFyBoMGG8mFHV6qaqt8l6yYsfiRDFCXQ3AOY7qxlzIpDfEeIFEwqkWH YBZlJRO6TcBkEMaoh/YrO77BIAbgBc/tknfblYdqzyHwbjpG+2pDUNAZbE3MJjJpiPjx uDzq6fIcPHIN3BB9V5FpeLncEuyEnomt/EUAUvtIqESgiCxJHJNdWZGfMHxjkwXDfVBz 3pAbVjG7zgCpsSphIfwGR9aRAJ/9fm9Gl4IS3vgvV7JYZ4663086XUtfQPsDdJP7AoTl 418A== X-Forwarded-Encrypted: i=1; AJvYcCUDLPa4HGkKOy3VUbbGgi+h6XzWzFI3oIVi2geq3QTmuwxqsbePPHg5IUVS0/liiOkWGC/481DnR9ICOtM=@vger.kernel.org X-Gm-Message-State: AOJu0Yy5iyfJTT3aRuHmSJ5JiFDd5JyWyAaOgEu6TiwEA4fiiZT6YSzn F8aZXGP4r7mKWvM3r836KNG+rPthqobgkISKwDvN+9fU1Ki1/awUOyXuOuJA7gtydTY= X-Gm-Gg: AZuq6aLUlWWj6Sedo0qMMkl7So2IyMxIYYWHr9G/v9X43eD1e2VcI5hQqBCjbl4aiRk 8J8pkEtvwzaRMDDK6GiC+jBdfuyU4LkD99SELpvitWKmKID70YHKaHQEHPdU2Mz9Iv7IE+IHVxn ANyY6vQUdiVQc0bnLkYuxJDAPEbzpeAQ0wLY6uqQjpAZvEQEpk5oJx325YvWmcPKV6PuMyEIpLW qoP0gZ85QaxUDwOnBhLxuKUVw4i/wTJjWjUQQq98PCpNU3B2E5gk1BH2OVdRK+73BvlZmh7XNa3 2mRm+Q8gA8HJAMyJKG2RytEy6JGLc5DpvvQCrQXsM1Pr8FqnjmwtwwEXsgJCJalckVc/Qsopb6v gaGZDwRPvh+H5ExIPeOtsVf+vdTrnDbY3iKbtdxb+MhX6G/XzbAxCB7kTFm6AH+UbkW7hWZjipK Ramqsbv/ppZx4HrCn/QotljUBzcxEYFB2QNIhYF+CthEx3pAWNonmaqRfd X-Received: by 2002:a05:6a20:3d88:b0:38d:fc80:3e22 with SMTP id adf61e73a8af0-392dfff8f86mr10526845637.4.1770017237208; Sun, 01 Feb 2026 23:27:17 -0800 (PST) Received: from tianci-mac.bytedance.net ([61.213.176.14]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a88b5d88f0sm145352365ad.67.2026.02.01.23.27.15 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sun, 01 Feb 2026 23:27:16 -0800 (PST) From: Zhang Tianci To: mst@redhat.com, jasowang@redhat.com Cc: xuanzhuo@linux.alibaba.com, eperezma@redhat.com, marco.crivellari@suse.com, anders.roxell@linaro.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, Zhang Tianci , Xie Yongji Subject: [PATCH v3 1/2] vduse: Requeue failed read to send_list head Date: Mon, 2 Feb 2026 15:26:54 +0800 Message-ID: <20260202072655.95143-2-zhangtianci.1997@bytedance.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20260202072655.95143-1-zhangtianci.1997@bytedance.com> References: <20260202072655.95143-1-zhangtianci.1997@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When copy_to_iter() fails in vduse_dev_read_iter(), put the message back at the head of send_list to preserve FIFO ordering and retry the oldest pending request first. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Reported-by: Michael S. Tsirkin Suggested-by: Xie Yongji Signed-off-by: Zhang Tianci Reviewed-by: Xie Yongji --- drivers/vdpa/vdpa_user/vduse_dev.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd= use_dev.c index ae357d014564c..b37f18a0ce6fd 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -194,6 +194,12 @@ static void vduse_enqueue_msg(struct list_head *head, list_add_tail(&msg->list, head); } =20 +static void vduse_enqueue_msg_head(struct list_head *head, + struct vduse_dev_msg *msg) +{ + list_add(&msg->list, head); +} + static void vduse_dev_broken(struct vduse_dev *dev) { struct vduse_dev_msg *msg, *tmp; @@ -354,7 +360,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, = struct iov_iter *to) spin_lock(&dev->msg_lock); if (ret !=3D size) { ret =3D -EFAULT; - vduse_enqueue_msg(&dev->send_list, msg); + vduse_enqueue_msg_head(&dev->send_list, msg); goto unlock; } vduse_enqueue_msg(&dev->recv_list, msg); --=20 2.39.5 From nobody Sat Feb 7 05:53:06 2026 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D803291C07 for ; Mon, 2 Feb 2026 07:27:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770017242; cv=none; b=IALw6Hb0b2e/WvG5g8aED36C/P5Xrr6jd6QZMxvpRuT1Is1EAvFhM/qbTmjnkU/coXATdReJz2Vyat59opdqt8vzR5yJU9cpV/JLFN42wJ1xh96w/IqrTXWXY63b5qEZ/Lead1vS7PaiAGQ9I9hKDuW7Yrgm64xTmjf/vUsUxfk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770017242; c=relaxed/simple; bh=pl6VwA/VUV/Zau9QfAtae90e95h4JJbv1lONMJ4/9Qc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qTlO6Q/ZjKsi7yPFaYDo21Psox1XvrNYTe1cyS+iyAAng1ciWu300NsgtXYtLSoxL+3eRgLsvUxlUprD5Py84rVUgIW2KBCpmdFKfE65BSX+MHEM2OgNGXdKYV0mqxlguSvZFZ3WWXvURVV5p2s+Z5bkhWtFboB2bEvrAXwMiq8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=AvNoSQf+; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="AvNoSQf+" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2a0c09bb78cso34118255ad.0 for ; Sun, 01 Feb 2026 23:27:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1770017240; x=1770622040; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Kmq6UkeFlJ38GZ9Njho8FK6yJ51WYaa7aCjJvi0pQSw=; b=AvNoSQf+fPJZz07wGOD7dPOF75ammDi1R3cyBe5LFFOYkzihUWL/KyNTZ0ZjhKmo00 xGDIOZyXiAdKRE+l4nJWQBYuTNHeKRwkGDFffGe9bek5uJb8/LwXw06DOruUHs4kud/I TprtgVp/i0HumK+VG4RkplVlTQhnz+9c6LWXFRnL3Z9KrjrNSHkYJapjzLMHFDeYuaUb 5fjMCjIL+ze+mo5eGFtFuZy/Le9m/Z9XiiDDd0Y0sYAvVDFtnjWiGtbLcksY+/japdyG McluTqOzFeYlxlN3JssHkltrgFprqX7jW3H3j7P0Tmx5VVPyc6Aw9d+IX4aUUnLDxyUF 3nuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770017240; x=1770622040; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Kmq6UkeFlJ38GZ9Njho8FK6yJ51WYaa7aCjJvi0pQSw=; b=ezIn3mxpcKby6w5/VFPGYxbFvbZ8XhSwu0eb4pdASatk5UI0/MYhDkaW6rhlhm9dPM AugTXmTeUEuYlHDVJSaO26DkIp2+KOdn2SdgdkbnOMd37Pl5QiJEMvB2b2tjVDND3DWF iZPtNyvTXGOzlDLYPx+V/FzSVTOQ9+vhIDaH9qVs4w5uwcx9h/vvR5m2LvO0udx/WP00 YpzaS5S6ng1C05fJKS3O7EWBBnKL+3I8lr0CpwMAuLX6eVdj9Kt6pfPR3lU4/0SEDGdJ n67vMM4gOheeoHwisLFB+tC/i7KKQxj5ZdirfppsTxlsS4hnQh9FRSQX0rdAQnZGkYsT CV2Q== X-Forwarded-Encrypted: i=1; AJvYcCUmHLFJXBCjpV1iGi62x+C+1q1ChJAqFhdcuswyCwvW7O7nX5Tp1kShI4m/z1BuRd7RCxC0Br5zSWPUzbM=@vger.kernel.org X-Gm-Message-State: AOJu0Yx/pErzCQWP6sJU69GJ4nND35eEgunxL9J8MGfOHQD0zO/xIeka edeSegkRzlDph4HA7cHxzgU38/65OyRkuODJQX0NIULhqoWvo/It6/Lg7TQa7BDYP2Y= X-Gm-Gg: AZuq6aIPJ/3wuDIRGMC0vTXPff70D5v110y9slfBTnoqJsmENjEhE5f5u13bw4K5Yzf iE64k57lZFH9OapQ+kpyS21lUdwuCXXY4pU1iM5z5z13sZvZl3iuayVOvIMt+DHCctBbI+3fEst TeelO3ixT1US9yuLnlxONO6tEKj7v1NndF3263p+aLmzf+bZkQOdHIUvBHu21rgDDnKBcsHSvaH VMURFNhV4uxEG1jCHuLsuh9EWcyKdAyX7wt8iuxs4UUu0kYP+p5VzBFghSS3LiT67kSePVM03zT 6cXPD/tia3KyR1SS5YPVZvI6r81terov5Qd1zRZvix6Acv57RzFDna3V9i5JuyDDLd+S3RbH2N4 SN2zPw4eR+bmOgF3RDgiyQpIigApKJunCfUn0qPjRI9bw2iHiVy00D/hIy+eZISK1uZL7vsICij F48+gKDZl/Ts44r+ej7g4+t1kMjssWyNpk+fvP7hJBUrrfkbjuoFzf69S33QuV6vGgLB4= X-Received: by 2002:a17:903:380b:b0:29f:1b1f:784 with SMTP id d9443c01a7336-2a8bd3ebfeemr152850155ad.4.1770017239838; Sun, 01 Feb 2026 23:27:19 -0800 (PST) Received: from tianci-mac.bytedance.net ([61.213.176.14]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a88b5d88f0sm145352365ad.67.2026.02.01.23.27.17 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sun, 01 Feb 2026 23:27:19 -0800 (PST) From: Zhang Tianci To: mst@redhat.com, jasowang@redhat.com Cc: xuanzhuo@linux.alibaba.com, eperezma@redhat.com, marco.crivellari@suse.com, anders.roxell@linaro.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, Zhang Tianci , stable@vger.kernel.org, Xie Yongji Subject: [PATCH v3 2/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter Date: Mon, 2 Feb 2026 15:26:55 +0800 Message-ID: <20260202072655.95143-3-zhangtianci.1997@bytedance.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20260202072655.95143-1-zhangtianci.1997@bytedance.com> References: <20260202072655.95143-1-zhangtianci.1997@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter: vduse_dev_read_iter(): lock(msg_lock); dequeue_msg(send_list); unlock(msg_lock); vduse_dev_msg_sync(): wait_timeout() finish lock(msg_lock); check msg->complete is false list_del(msg); <- double list_del() crash! To fix this case, we shall ensure vduse_msg is on send_list or recv_list outside the msg_lock critical section. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Cc: stable@vger.kernel.org Signed-off-by: Zhang Tianci Reviewed-by: Xie Yongji --- drivers/vdpa/vdpa_user/vduse_dev.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd= use_dev.c index b37f18a0ce6fd..1e274688bba32 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -331,6 +331,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, = struct iov_iter *to) struct file *file =3D iocb->ki_filp; struct vduse_dev *dev =3D file->private_data; struct vduse_dev_msg *msg; + struct vduse_dev_request req; int size =3D sizeof(struct vduse_dev_request); ssize_t ret; =20 @@ -345,7 +346,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, = struct iov_iter *to) =20 ret =3D -EAGAIN; if (file->f_flags & O_NONBLOCK) - goto unlock; + break; =20 spin_unlock(&dev->msg_lock); ret =3D wait_event_interruptible_exclusive(dev->waitq, @@ -355,17 +356,30 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb= , struct iov_iter *to) =20 spin_lock(&dev->msg_lock); } + if (!msg) { + spin_unlock(&dev->msg_lock); + return ret; + } + + memcpy(&req, &msg->req, sizeof(req)); + /* + * We must ensure vduse_msg is on send_list or recv_list before unlock + * dev->msg_lock. Because vduse_dev_msg_sync() may be timeout when we + * copy data to userspace, and will call list_del() for this msg. + */ + vduse_enqueue_msg(&dev->recv_list, msg); spin_unlock(&dev->msg_lock); - ret =3D copy_to_iter(&msg->req, size, to); - spin_lock(&dev->msg_lock); + + ret =3D copy_to_iter(&req, size, to); if (ret !=3D size) { + spin_lock(&dev->msg_lock); + /* Roll back: move msg back to send_list if still pending. */ + msg =3D vduse_find_msg(&dev->recv_list, req.request_id); + if (msg) + vduse_enqueue_msg_head(&dev->send_list, msg); + spin_unlock(&dev->msg_lock); ret =3D -EFAULT; - vduse_enqueue_msg_head(&dev->send_list, msg); - goto unlock; } - vduse_enqueue_msg(&dev->recv_list, msg); -unlock: - spin_unlock(&dev->msg_lock); =20 return ret; } --=20 2.39.5