From nobody Thu Apr 2 14:13:13 2026 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53CC937BE71 for ; Thu, 26 Feb 2026 11:56:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772106965; cv=none; b=EZzkcV2YrXsuarJ3zbE41sqfDfzlWwfnjcmS8+ITSwQIXNTp20bZrBybFNUgzN4jKoYkF+nCTunjMMF/IddlbvqQAqf+Naihw/3x5cOM1FxxCNNNq9JBXfKbDD2y50V2QstEiZyJre7ComrnXYIH7bLWVz42ywoJtNBCFq+aHYg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772106965; c=relaxed/simple; bh=DHLLkqkDnWvEZuqYb/4TzoA2PvbjZgAKakxtrxBFNoM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DU2lJgsRD4B6JTgtb0Zfc3HArtm5gBKvtfS0YASGzu6Cp08iCDuMzXz50BwSWhgcyiAYX/dFAX5m4okrGwPNANIyF4GbLqUL7+bVu+3YTvmhkB4pzqi1Zb32Akyeg2JfiDRbbZqJunLIslDw2VBCw9Cv7T+zfU1n6HitFER4y+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=bLlY40Qq; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="bLlY40Qq" Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-827336c0994so706765b3a.0 for ; Thu, 26 Feb 2026 03:56:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1772106961; x=1772711761; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8hp9OyhudeTkze2mm5y1Lxwv/Mn5sOVBkvROnjUBeHw=; b=bLlY40Qqv6JBnq2Hu4L7iq/0dIwweJeia3VEf/Ui5i6rUB1nx7b6PC2ayXl2Srj4sm E5q1V5YiBKjvhJ80UrXRfuW6ESyiJKonYEiKOvgLszIRTOe9Ng1fbTJRqqpvuHNUA4VR qbuxuhAT647MEiCs9QZ3DVjbiszgZkTI9dnHcu8QUknqTKABPGPbxEtouyjvicH/zcDG yPlObjkbUqT2NwN99NWmrdBw6EP3qMmTffJtim8KiUlwvTFpvyczhHW038rQ0TN8uGtq u3SBfb9gunN98ct7zeQ/UoiKElFdy/q3ndnxyNbkNkI1vZ0X6991FZXWhibAzTL3D+Z6 41Pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772106961; x=1772711761; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8hp9OyhudeTkze2mm5y1Lxwv/Mn5sOVBkvROnjUBeHw=; b=KJoRnZVdnvkdHzFDe88GytGbdMIkBho8+ANthCEY5THi3Y5zZnhNBeI2WrF7mvsXJq PayaHjI2lcZa+/gpPJ9murRz84EPT2XzuJC9d1IwhMtJi8RScuUGUHzXdqEaqAfqaQQ1 MpiRTNEIojC58MrlarFcMxDNtPeMCWK1rZWiN5NbGF9OF5tOqJId10zHI+jSn6AQ5amJ t0vbaGpde+OJpoSgj98hHwzHtKABkREEdlHvsH6hLmWpPtMyEOpMzma2nHU77yqBfBAL dymZDy9du0YOv4g8ELDCuviV3UHLlqVN4DB3dYaWGM2ZqsYeXCpubuPFiaGoYrZNxKyJ 9RuQ== X-Forwarded-Encrypted: i=1; AJvYcCVytc5lVefoTzKdKK8uIxKiBDHLcLmsmdQ61R1LdcZNNLRtNHVnu7YMZ/PhrFric2VKhhoVuN0E8I3wt60=@vger.kernel.org X-Gm-Message-State: AOJu0YwpyAqmNoBr0JufKYtNfPobk4aL8Rh3iu6OQGAgV4FQhNijrSae Q+hLbOKLbSEVByVDJZB4y2UUWlKL9knYeudblIQO2uBptM3F/W9PPDozpGbWnDyTw8o= X-Gm-Gg: ATEYQzwehaYLnf3XHHjtuBCAanA+S+RrQaM0SfKy+CH0SgRr4bgvsVY5sG/taiTpQv6 RFfbfsmLOZGcFi8dDhFSQaDRKQADx35rUQg1H6un7F8OaF3SGQrdcp2hdATcD7GK+L6DxmyWWg8 DixLjDWjzKrA+7W40CiT5vqx20PwTdv/FQDkzdc3rvcKvNNIjS07PoKBrgAehD+94T4aULXETnn sXh3D7MCW4u0BgnSF7BiYCgGj0UBpinDnwY0KzhIVG39HOUgT+SWmykO94orZl6zVmFUJe7h4U+ RbhIPSvvTLluX9sxxgEd005TheRDGb7lgGSslQfKZd7KWBzv4MKMda7ojFvza6XlzesiNhzO+Th g1f9z8uI+GXTnd24kxHyyDFGgt/2GKr39T2a+qKRQd8CpNtR8u1ADhlP2+3cg5v8HNGymZSN5TR d9LT533dubiZI2hORKjTfYkMxAcFZBM9JZEyqf+bu01PccmfCzpz1YAWnMZ5xLMRnk9aw= X-Received: by 2002:a17:90b:3f4e:b0:356:22ef:57a6 with SMTP id 98e67ed59e1d1-3593870f204mr2186856a91.15.1772106961486; Thu, 26 Feb 2026 03:56:01 -0800 (PST) Received: from tianci-mac.bytedance.net ([61.213.176.5]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-359130712bcsm2390815a91.7.2026.02.26.03.55.59 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 26 Feb 2026 03:56:01 -0800 (PST) From: Zhang Tianci To: mst@redhat.com, jasowang@redhat.com Cc: xuanzhuo@linux.alibaba.com, eperezma@redhat.com, marco.crivellari@suse.com, anders.roxell@linaro.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, Zhang Tianci , stable@vger.kernel.org, Xie Yongji Subject: [PATCH v4 2/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter Date: Thu, 26 Feb 2026 19:55:50 +0800 Message-ID: <20260226115550.1814-3-zhangtianci.1997@bytedance.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20260226115550.1814-1-zhangtianci.1997@bytedance.com> References: <20260226115550.1814-1-zhangtianci.1997@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter: vduse_dev_read_iter(): lock(msg_lock); dequeue_msg(send_list); unlock(msg_lock); vduse_dev_msg_sync(): wait_timeout() finish lock(msg_lock); check msg->complete is false list_del(msg); <- double list_del() crash! To fix this case, we shall ensure vduse_msg is on send_list or recv_list outside the msg_lock critical section. Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Cc: stable@vger.kernel.org Signed-off-by: Zhang Tianci Reviewed-by: Xie Yongji Acked-by: Jason Wang --- drivers/vdpa/vdpa_user/vduse_dev.c | 37 ++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vd= use_dev.c index b37f18a0ce6fd..1ca1811f7594a 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -331,6 +331,7 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb, = struct iov_iter *to) struct file *file =3D iocb->ki_filp; struct vduse_dev *dev =3D file->private_data; struct vduse_dev_msg *msg; + struct vduse_dev_request req; int size =3D sizeof(struct vduse_dev_request); ssize_t ret; =20 @@ -342,12 +343,11 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb= , struct iov_iter *to) msg =3D vduse_dequeue_msg(&dev->send_list); if (msg) break; + spin_unlock(&dev->msg_lock); =20 - ret =3D -EAGAIN; if (file->f_flags & O_NONBLOCK) - goto unlock; + return -EAGAIN; =20 - spin_unlock(&dev->msg_lock); ret =3D wait_event_interruptible_exclusive(dev->waitq, !list_empty(&dev->send_list)); if (ret) @@ -355,17 +355,34 @@ static ssize_t vduse_dev_read_iter(struct kiocb *iocb= , struct iov_iter *to) =20 spin_lock(&dev->msg_lock); } + + memcpy(&req, &msg->req, sizeof(req)); + /* + * We must ensure vduse_msg is on send_list or recv_list before unlock + * dev->msg_lock. Because vduse_dev_msg_sync() may be timeout when we + * copy data to userspace, and will call list_del() for this msg. + */ + vduse_enqueue_msg(&dev->recv_list, msg); spin_unlock(&dev->msg_lock); - ret =3D copy_to_iter(&msg->req, size, to); - spin_lock(&dev->msg_lock); + + ret =3D copy_to_iter(&req, size, to); if (ret !=3D size) { + /* + * Roll back: move msg back to send_list if still pending. + * + * NOTE: + * vduse_find_msg() must use req.request_id instead of `msg`. + * A malicious userspace may reply to this request, and wake up + * the caller, after which `msg` will have already been freed. + * And here vduse_find_msg() will return NULL then do nothing. + */ + spin_lock(&dev->msg_lock); + msg =3D vduse_find_msg(&dev->recv_list, req.request_id); + if (msg) + vduse_enqueue_msg_head(&dev->send_list, msg); + spin_unlock(&dev->msg_lock); ret =3D -EFAULT; - vduse_enqueue_msg_head(&dev->send_list, msg); - goto unlock; } - vduse_enqueue_msg(&dev->recv_list, msg); -unlock: - spin_unlock(&dev->msg_lock); =20 return ret; } --=20 2.39.5