Re: [PATCH v4 2/2] vduse: Fix race in vduse_dev_msg_sync and vduse_dev_read_iter

Next message: Hui Zhu: "[PATCH mm-unstable 0/2] mm/mmap: fix crashes in dup_mmap() error path"
Previous message: Benno Lossin: "Re: [PATCH v2 1/2] rust: pin-init: internal: init: remove `#[disable_initialized_field_access]`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Wang

Date: Wed Mar 04 2026 - 02:01:22 EST

On Thu, Feb 26, 2026 at 7:56 PM Zhang Tianci
<zhangtianci.1997@xxxxxxxxxxxxx> wrote:
>
> There is one race case in vduse_dev_msg_sync and vduse_dev_read_iter:
>
> vduse_dev_read_iter():
> lock(msg_lock);
> dequeue_msg(send_list);
> unlock(msg_lock);
> vduse_dev_msg_sync():
> wait_timeout() finish
> lock(msg_lock);
> check msg->complete is false
> list_del(msg); <- double list_del() crash!
>
> To fix this case, we shall ensure vduse_msg is on send_list or recv_list
> outside the msg_lock critical section.
>
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zhang Tianci <zhangtianci.1997@xxxxxxxxxxxxx>
> Reviewed-by: Xie Yongji <xieyongji@xxxxxxxxxxxxx>
> ---

Acked-by: Jason Wang <jasowang@xxxxxxxxxx>

Thanks