| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/25 16:17 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": [
"VHOST_VSOCK"
],
"FocusSymbols": [
"vhost_vsock_reset_owner",
"vhost_vsock_start",
"vhost_vsock_stop",
"vhost_vsock_dev_ioctl"
],
"Reasoning": "The patch modifies the vhost-vsock driver to handle the VHOST_RESET_OWNER ioctl explicitly, adding a new vhost_vsock_reset_owner function and modifying the packet sending logic to handle device stop/reset correctly. This is reachable from userspace via /dev/vhost-vsock ioctls.",
"WorthFuzzing": true
} |
| 1/1 | 2026/06/25 16:17 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 585f4f28d11dff42108384ea9341aa8db5a43d9b\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Thu Jun 25 16:17:53 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c\nindex 9aaab6bb8061c1..f0a0aa7d320001 100644\n--- a/drivers/vhost/vsock.c\n+++ b/drivers/vhost/vsock.c\n@@ -61,6 +61,7 @@ struct vhost_vsock {\n \n \tu32 guest_cid;\n \tbool seqpacket_allow;\n+\tbool started;\t\t/* set on first SET_RUNNING(1); never cleared */\n };\n \n static u32 vhost_transport_get_local_cid(void)\n@@ -302,17 +303,12 @@ vhost_transport_send_pkt(struct sk_buff *skb, struct net *net)\n \t\treturn -ENODEV;\n \t}\n \n-\t/* Fast-fail if the guest hasn't enabled the RX vq yet. Queuing the packet\n-\t * and making the caller wait is pointless: even if the guest manages to init\n-\t * within the timeout, it'll immediately reply with RST, because there's no\n-\t * listener on the port yet.\n-\t *\n-\t * vhost_vq_get_backend() without vq-\u003emutex is acceptable here: locking\n-\t * the mutex would be too expensive in this hot path, and we already have\n-\t * all the outcomes covered: if the backend becomes NULL right after the check,\n-\t * vhost_transport_do_send_pkt() will check it under the mutex anyway.\n+\t/* Fast-fail until the guest first enables the device (SET_RUNNING(1)).\n+\t * Before that there is no listener, so queuing is pointless. 'started'\n+\t * is never cleared, so once we're up we keep queuing across later\n+\t * stop / CPR-pause windows.\n \t */\n-\tif (unlikely(!data_race(vhost_vq_get_backend(\u0026vsock-\u003evqs[VSOCK_VQ_RX])))) {\n+\tif (unlikely(!READ_ONCE(vsock-\u003estarted))) {\n \t\trcu_read_unlock();\n \t\tkfree_skb(skb);\n \t\treturn -EHOSTUNREACH;\n@@ -322,7 +318,14 @@ vhost_transport_send_pkt(struct sk_buff *skb, struct net *net)\n \t\tatomic_inc(\u0026vsock-\u003equeued_replies);\n \n \tvirtio_vsock_skb_queue_tail(\u0026vsock-\u003esend_pkt_queue, skb);\n-\tvhost_vq_work_queue(\u0026vsock-\u003evqs[VSOCK_VQ_RX], \u0026vsock-\u003esend_pkt_work);\n+\n+\t/* Skip the kick once the backend is gone (stop/RESET_OWNER); the skb\n+\t * stays queued and vhost_vsock_start() drains it. Pairs with the\n+\t * synchronize_rcu() in vhost_vsock_reset_owner().\n+\t */\n+\tif (data_race(vhost_vq_get_backend(\u0026vsock-\u003evqs[VSOCK_VQ_RX])))\n+\t\tvhost_vq_work_queue(\u0026vsock-\u003evqs[VSOCK_VQ_RX],\n+\t\t\t\t \u0026vsock-\u003esend_pkt_work);\n \n \trcu_read_unlock();\n \treturn len;\n@@ -350,7 +353,15 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)\n \t\tint new_cnt;\n \n \t\tnew_cnt = atomic_sub_return(cnt, \u0026vsock-\u003equeued_replies);\n-\t\tif (new_cnt + cnt \u003e= tx_vq-\u003enum \u0026\u0026 new_cnt \u003c tx_vq-\u003enum)\n+\n+\t\t/* Skip the kick once the backend is gone (stop/RESET_OWNER):\n+\t\t * vhost_poll_queue() would touch the worker which is being freed\n+\t\t * by teardown, e.g. on RESET_OWNER. Pairs with the\n+\t\t * synchronize_rcu() in vhost_vsock_reset_owner(). The TX VQ is\n+\t\t * re-kicked by vhost_vsock_start().\n+\t\t */\n+\t\tif (data_race(vhost_vq_get_backend(tx_vq)) \u0026\u0026\n+\t\t new_cnt + cnt \u003e= tx_vq-\u003enum \u0026\u0026 new_cnt \u003c tx_vq-\u003enum)\n \t\t\tvhost_poll_queue(\u0026tx_vq-\u003epoll);\n \t}\n \n@@ -640,11 +651,23 @@ static int vhost_vsock_start(struct vhost_vsock *vsock)\n \t\tmutex_unlock(\u0026vq-\u003emutex);\n \t}\n \n+\t/* Set 'started' flag on the first start; never cleared, so send_pkt\n+\t * keeps queuing (instead of fast-failing) on later stop / CPR pauses.\n+\t */\n+\tWRITE_ONCE(vsock-\u003estarted, true);\n+\n \t/* Some packets may have been queued before the device was started,\n \t * let's kick the send worker to send them.\n \t */\n \tvhost_vq_work_queue(\u0026vsock-\u003evqs[VSOCK_VQ_RX], \u0026vsock-\u003esend_pkt_work);\n \n+\t/*\n+\t * Some packets might've also been queued in TX VQ. That is the case\n+\t * during the brief device pause caused by VHOST_RESET_OWNER. Re-scan\n+\t * the TX VQ here, mirroring the RX send-worker kick above.\n+\t */\n+\tvhost_poll_queue(\u0026vsock-\u003evqs[VSOCK_VQ_TX].poll);\n+\n \tmutex_unlock(\u0026vsock-\u003edev.mutex);\n \treturn 0;\n \n@@ -664,9 +687,24 @@ static int vhost_vsock_start(struct vhost_vsock *vsock)\n \treturn ret;\n }\n \n-static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)\n+static void vhost_vsock_drop_backends(struct vhost_vsock *vsock)\n {\n+\tstruct vhost_virtqueue *vq;\n \tsize_t i;\n+\n+\tlockdep_assert_held(\u0026vsock-\u003edev.mutex);\n+\n+\tfor (i = 0; i \u003c ARRAY_SIZE(vsock-\u003evqs); i++) {\n+\t\tvq = \u0026vsock-\u003evqs[i];\n+\n+\t\tmutex_lock(\u0026vq-\u003emutex);\n+\t\tvhost_vq_set_backend(vq, NULL);\n+\t\tmutex_unlock(\u0026vq-\u003emutex);\n+\t}\n+}\n+\n+static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)\n+{\n \tint ret = 0;\n \n \tmutex_lock(\u0026vsock-\u003edev.mutex);\n@@ -677,14 +715,7 @@ static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)\n \t\t\tgoto err;\n \t}\n \n-\tfor (i = 0; i \u003c ARRAY_SIZE(vsock-\u003evqs); i++) {\n-\t\tstruct vhost_virtqueue *vq = \u0026vsock-\u003evqs[i];\n-\n-\t\tmutex_lock(\u0026vq-\u003emutex);\n-\t\tvhost_vq_set_backend(vq, NULL);\n-\t\tmutex_unlock(\u0026vq-\u003emutex);\n-\t}\n-\n+\tvhost_vsock_drop_backends(vsock);\n err:\n \tmutex_unlock(\u0026vsock-\u003edev.mutex);\n \treturn ret;\n@@ -720,6 +751,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)\n \n \tvsock-\u003eguest_cid = 0; /* no CID assigned yet */\n \tvsock-\u003eseqpacket_allow = false;\n+\tvsock-\u003estarted = false;\n \n \tatomic_set(\u0026vsock-\u003equeued_replies, 0);\n \n@@ -886,6 +918,36 @@ static int vhost_vsock_set_features(struct vhost_vsock *vsock, u64 features)\n \treturn -EFAULT;\n }\n \n+static int vhost_vsock_reset_owner(struct vhost_vsock *vsock)\n+{\n+\tstruct vhost_iotlb *umem;\n+\tlong err;\n+\n+\tmutex_lock(\u0026vsock-\u003edev.mutex);\n+\terr = vhost_dev_check_owner(\u0026vsock-\u003edev);\n+\tif (err)\n+\t\tgoto done;\n+\tumem = vhost_dev_reset_owner_prepare();\n+\tif (!umem) {\n+\t\terr = -ENOMEM;\n+\t\tgoto done;\n+\t}\n+\tvhost_vsock_drop_backends(vsock);\n+\n+\t/* Let in-flight send_pkt() callers stop touching the worker before the\n+\t * flush + free below. Pairs with the backend check in\n+\t * vhost_transport_send_pkt().\n+\t */\n+\tsynchronize_rcu();\n+\n+\tvhost_vsock_flush(vsock);\n+\tvhost_dev_stop(\u0026vsock-\u003edev);\n+\tvhost_dev_reset_owner(\u0026vsock-\u003edev, umem);\n+done:\n+\tmutex_unlock(\u0026vsock-\u003edev.mutex);\n+\treturn err;\n+}\n+\n static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,\n \t\t\t\t unsigned long arg)\n {\n@@ -929,6 +991,8 @@ static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,\n \t\t\treturn -EOPNOTSUPP;\n \t\tvhost_set_backend_features(\u0026vsock-\u003edev, features);\n \t\treturn 0;\n+\tcase VHOST_RESET_OWNER:\n+\t\treturn vhost_vsock_reset_owner(vsock);\n \tdefault:\n \t\tmutex_lock(\u0026vsock-\u003edev.mutex);\n \t\tr = vhost_dev_ioctl(\u0026vsock-\u003edev, ioctl, argp);\n"
} |
| 2/1 | 2026/06/25 16:17 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": [
"VHOST_VSOCK"
],
"FocusSymbols": [
"vhost_vsock_reset_owner",
"vhost_vsock_start",
"vhost_vsock_stop",
"vhost_vsock_dev_ioctl"
],
"Reasoning": "The patch modifies the vhost-vsock driver to handle the VHOST_RESET_OWNER ioctl explicitly, adding a new vhost_vsock_reset_owner function and modifying the packet sending logic to handle device stop/reset correctly. This is reachable from userspace via /dev/vhost-vsock ioctls.",
"WorthFuzzing": true
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 585f4f28d11dff42108384ea9341aa8db5a43d9b
Author: syz-cluster <triage@syzkaller.com>
Date: Thu Jun 25 16:17:53 2026 +0000
syz-cluster: applied patch under review
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 9aaab6bb8061c1..f0a0aa7d320001 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -61,6 +61,7 @@ struct vhost_vsock {
u32 guest_cid;
bool seqpacket_allow;
+ bool started; /* set on first SET_RUNNING(1); never cleared */
};
static u32 vhost_transport_get_local_cid(void)
@@ -302,17 +303,12 @@ vhost_transport_send_pkt(struct sk_buff *skb, struct net *net)
return -ENODEV;
}
- /* Fast-fail if the guest hasn't enabled the RX vq yet. Queuing the packet
- * and making the caller wait is pointless: even if the guest manages to init
- * within the timeout, it'll immediately reply with RST, because there's no
- * listener on the port yet.
- *
- * vhost_vq_get_backend() without vq->mutex is acceptable here: locking
- * the mutex would be too expensive in this hot path, and we already have
- * all the outcomes covered: if the backend becomes NULL right after the check,
- * vhost_transport_do_send_pkt() will check it under the mutex anyway.
+ /* Fast-fail until the guest first enables the device (SET_RUNNING(1)).
+ * Before that there is no listener, so queuing is pointless. 'started'
+ * is never cleared, so once we're up we keep queuing across later
+ * stop / CPR-pause windows.
*/
- if (unlikely(!data_race(vhost_vq_get_backend(&vsock->vqs[VSOCK_VQ_RX])))) {
+ if (unlikely(!READ_ONCE(vsock->started))) {
rcu_read_unlock();
kfree_skb(skb);
return -EHOSTUNREACH;
@@ -322,7 +318,14 @@ vhost_transport_send_pkt(struct sk_buff *skb, struct net *net)
atomic_inc(&vsock->queued_replies);
virtio_vsock_skb_queue_tail(&vsock->send_pkt_queue, skb);
- vhost_vq_work_queue(&vsock->vqs[VSOCK_VQ_RX], &vsock->send_pkt_work);
+
+ /* Skip the kick once the backend is gone (stop/RESET_OWNER); the skb
+ * stays queued and vhost_vsock_start() drains it. Pairs with the
+ * synchronize_rcu() in vhost_vsock_reset_owner().
+ */
+ if (data_race(vhost_vq_get_backend(&vsock->vqs[VSOCK_VQ_RX])))
+ vhost_vq_work_queue(&vsock->vqs[VSOCK_VQ_RX],
+ &vsock->send_pkt_work);
rcu_read_unlock();
return len;
@@ -350,7 +353,15 @@ vhost_transport_cancel_pkt(struct vsock_sock *vsk)
int new_cnt;
new_cnt = atomic_sub_return(cnt, &vsock->queued_replies);
- if (new_cnt + cnt >= tx_vq->num && new_cnt < tx_vq->num)
+
+ /* Skip the kick once the backend is gone (stop/RESET_OWNER):
+ * vhost_poll_queue() would touch the worker which is being freed
+ * by teardown, e.g. on RESET_OWNER. Pairs with the
+ * synchronize_rcu() in vhost_vsock_reset_owner(). The TX VQ is
+ * re-kicked by vhost_vsock_start().
+ */
+ if (data_race(vhost_vq_get_backend(tx_vq)) &&
+ new_cnt + cnt >= tx_vq->num && new_cnt < tx_vq->num)
vhost_poll_queue(&tx_vq->poll);
}
@@ -640,11 +651,23 @@ static int vhost_vsock_start(struct vhost_vsock *vsock)
mutex_unlock(&vq->mutex);
}
+ /* Set 'started' flag on the first start; never cleared, so send_pkt
+ * keeps queuing (instead of fast-failing) on later stop / CPR pauses.
+ */
+ WRITE_ONCE(vsock->started, true);
+
/* Some packets may have been queued before the device was started,
* let's kick the send worker to send them.
*/
vhost_vq_work_queue(&vsock->vqs[VSOCK_VQ_RX], &vsock->send_pkt_work);
+ /*
+ * Some packets might've also been queued in TX VQ. That is the case
+ * during the brief device pause caused by VHOST_RESET_OWNER. Re-scan
+ * the TX VQ here, mirroring the RX send-worker kick above.
+ */
+ vhost_poll_queue(&vsock->vqs[VSOCK_VQ_TX].poll);
+
mutex_unlock(&vsock->dev.mutex);
return 0;
@@ -664,9 +687,24 @@ static int vhost_vsock_start(struct vhost_vsock *vsock)
return ret;
}
-static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)
+static void vhost_vsock_drop_backends(struct vhost_vsock *vsock)
{
+ struct vhost_virtqueue *vq;
size_t i;
+
+ lockdep_assert_held(&vsock->dev.mutex);
+
+ for (i = 0; i < ARRAY_SIZE(vsock->vqs); i++) {
+ vq = &vsock->vqs[i];
+
+ mutex_lock(&vq->mutex);
+ vhost_vq_set_backend(vq, NULL);
+ mutex_unlock(&vq->mutex);
+ }
+}
+
+static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)
+{
int ret = 0;
mutex_lock(&vsock->dev.mutex);
@@ -677,14 +715,7 @@ static int vhost_vsock_stop(struct vhost_vsock *vsock, bool check_owner)
goto err;
}
- for (i = 0; i < ARRAY_SIZE(vsock->vqs); i++) {
- struct vhost_virtqueue *vq = &vsock->vqs[i];
-
- mutex_lock(&vq->mutex);
- vhost_vq_set_backend(vq, NULL);
- mutex_unlock(&vq->mutex);
- }
-
+ vhost_vsock_drop_backends(vsock);
err:
mutex_unlock(&vsock->dev.mutex);
return ret;
@@ -720,6 +751,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)
vsock->guest_cid = 0; /* no CID assigned yet */
vsock->seqpacket_allow = false;
+ vsock->started = false;
atomic_set(&vsock->queued_replies, 0);
@@ -886,6 +918,36 @@ static int vhost_vsock_set_features(struct vhost_vsock *vsock, u64 features)
return -EFAULT;
}
+static int vhost_vsock_reset_owner(struct vhost_vsock *vsock)
+{
+ struct vhost_iotlb *umem;
+ long err;
+
+ mutex_lock(&vsock->dev.mutex);
+ err = vhost_dev_check_owner(&vsock->dev);
+ if (err)
+ goto done;
+ umem = vhost_dev_reset_owner_prepare();
+ if (!umem) {
+ err = -ENOMEM;
+ goto done;
+ }
+ vhost_vsock_drop_backends(vsock);
+
+ /* Let in-flight send_pkt() callers stop touching the worker before the
+ * flush + free below. Pairs with the backend check in
+ * vhost_transport_send_pkt().
+ */
+ synchronize_rcu();
+
+ vhost_vsock_flush(vsock);
+ vhost_dev_stop(&vsock->dev);
+ vhost_dev_reset_owner(&vsock->dev, umem);
+done:
+ mutex_unlock(&vsock->dev.mutex);
+ return err;
+}
+
static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,
unsigned long arg)
{
@@ -929,6 +991,8 @@ static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,
return -EOPNOTSUPP;
vhost_set_backend_features(&vsock->dev, features);
return 0;
+ case VHOST_RESET_OWNER:
+ return vhost_vsock_reset_owner(vsock);
default:
mutex_lock(&vsock->dev.mutex);
r = vhost_dev_ioctl(&vsock->dev, ioctl, argp);
|
| 3/2 | 2026/06/25 16:17 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 4134 output: 30 thoughts: 205 Thoughts: Okay, let's break this down. **Analyzing the Vhost-VSOCK Patch and Reachability** Right, so we've got a patch that's touched `drivers/vhost/vsock.c`. The changes involve a new `started` flag within the `vhost_vsock` structure, and it looks like `vhost_transport_send_pkt` and `vhost_transport_cancel_pkt` are getting tweaked. Interesting. Also, a new function, `vhost_vsock_reset_owner`, has been added for handling the `VHOST_RESET_OWNER` ioctl. My immediate thought is, is this even *reachable*? Is this code path active? Well, `drivers/vhost/vsock.c` is the vhost-vsock driver, and that should be pretty clear. It's the provider of the `/dev/vhost-vsock` device node. And the `VHOST_RESET_OWNER` ioctl is handled within that driver. That ioctl implementation is definitely reachable, and thus functional. No concerns there. Now, let's think about the configuration. `drivers/vhost/vsock.c` is compiled based on the `CONFIG_VHOST_VSOCK` config option. I'll need to double-check that this is correctly enabled, but assuming it is, then the code path is certainly valid. I'll look into verifying the config shortly. |
| 4/2 | 2026/06/25 16:18 | tool | grepper |
0mArgs:{
"Expression": "VHOST_VSOCK",
"PathPrefix": "drivers/vhost/"
}Results: {
"Output": "drivers/vhost/Kconfig=46=config VHOST_SCSI\n--\ndrivers/vhost/Kconfig-55-\ndrivers/vhost/Kconfig:56:config VHOST_VSOCK\ndrivers/vhost/Kconfig-57-\ttristate \"vhost virtio-vsock driver\"\n--\ndrivers/vhost/Makefile=6=vhost_scsi-y := scsi.o\ndrivers/vhost/Makefile-7-\ndrivers/vhost/Makefile:8:obj-$(CONFIG_VHOST_VSOCK) += vhost_vsock.o\ndrivers/vhost/Makefile-9-vhost_vsock-y := vsock.o\n--\ndrivers/vhost/vhost.c=858=static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,\n--\ndrivers/vhost/vhost.c-907-\t\t/*\ndrivers/vhost/vhost.c:908:\t\t * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID.\ndrivers/vhost/vhost.c-909-\t\t * Warn if it adds support for multiple workers but forgets to\n--\ndrivers/vhost/vsock.c-21-\ndrivers/vhost/vsock.c:22:#define VHOST_VSOCK_DEFAULT_HOST_CID\t2\ndrivers/vhost/vsock.c-23-/* Max number of bytes transferred before requeueing the job.\ndrivers/vhost/vsock.c-24- * Using this limit prevents one virtqueue from starving others. */\ndrivers/vhost/vsock.c:25:#define VHOST_VSOCK_WEIGHT 0x80000\ndrivers/vhost/vsock.c-26-/* Max number of packets transferred before requeueing the job.\n--\ndrivers/vhost/vsock.c-29- */\ndrivers/vhost/vsock.c:30:#define VHOST_VSOCK_PKT_WEIGHT 256\ndrivers/vhost/vsock.c-31-\ndrivers/vhost/vsock.c=32=static const int vhost_vsock_bits[] = {\n--\ndrivers/vhost/vsock.c-37-\ndrivers/vhost/vsock.c:38:#define VHOST_VSOCK_FEATURES VHOST_FEATURES_U64(vhost_vsock_bits, 0)\ndrivers/vhost/vsock.c-39-\ndrivers/vhost/vsock.c=40=enum {\ndrivers/vhost/vsock.c:41:\tVHOST_VSOCK_BACKEND_FEATURES = (1ULL \u003c\u003c VHOST_BACKEND_F_IOTLB_MSG_V2)\ndrivers/vhost/vsock.c-42-};\n--\ndrivers/vhost/vsock.c=67=static u32 vhost_transport_get_local_cid(void)\ndrivers/vhost/vsock.c-68-{\ndrivers/vhost/vsock.c:69:\treturn VHOST_VSOCK_DEFAULT_HOST_CID;\ndrivers/vhost/vsock.c-70-}\n--\ndrivers/vhost/vsock.c=729=static int vhost_vsock_dev_open(struct inode *inode, struct file *file)\n--\ndrivers/vhost/vsock.c-763-\tvhost_dev_init(\u0026vsock-\u003edev, vqs, ARRAY_SIZE(vsock-\u003evqs),\ndrivers/vhost/vsock.c:764:\t\t UIO_MAXIOV, VHOST_VSOCK_PKT_WEIGHT,\ndrivers/vhost/vsock.c:765:\t\t VHOST_VSOCK_WEIGHT, true, NULL);\ndrivers/vhost/vsock.c-766-\n--\ndrivers/vhost/vsock.c=886=static int vhost_vsock_set_features(struct vhost_vsock *vsock, u64 features)\n--\ndrivers/vhost/vsock.c-890-\ndrivers/vhost/vsock.c:891:\tif (features \u0026 ~VHOST_VSOCK_FEATURES)\ndrivers/vhost/vsock.c-892-\t\treturn -EOPNOTSUPP;\n--\ndrivers/vhost/vsock.c=951=static long vhost_vsock_dev_ioctl(struct file *f, unsigned int ioctl,\n--\ndrivers/vhost/vsock.c-961-\tswitch (ioctl) {\ndrivers/vhost/vsock.c:962:\tcase VHOST_VSOCK_SET_GUEST_CID:\ndrivers/vhost/vsock.c-963-\t\tif (copy_from_user(\u0026guest_cid, argp, sizeof(guest_cid)))\n--\ndrivers/vhost/vsock.c-965-\t\treturn vhost_vsock_set_cid(vsock, guest_cid);\ndrivers/vhost/vsock.c:966:\tcase VHOST_VSOCK_SET_RUNNING:\ndrivers/vhost/vsock.c-967-\t\tif (copy_from_user(\u0026start, argp, sizeof(start)))\n--\ndrivers/vhost/vsock.c-973-\tcase VHOST_GET_FEATURES:\ndrivers/vhost/vsock.c:974:\t\tfeatures = VHOST_VSOCK_FEATURES;\ndrivers/vhost/vsock.c-975-\t\tif (copy_to_user(argp, \u0026features, sizeof(features)))\n--\ndrivers/vhost/vsock.c-982-\tcase VHOST_GET_BACKEND_FEATURES:\ndrivers/vhost/vsock.c:983:\t\tfeatures = VHOST_VSOCK_BACKEND_FEATURES;\ndrivers/vhost/vsock.c-984-\t\tif (copy_to_user(argp, \u0026features, sizeof(features)))\n--\ndrivers/vhost/vsock.c-989-\t\t\treturn -EFAULT;\ndrivers/vhost/vsock.c:990:\t\tif (features \u0026 ~VHOST_VSOCK_BACKEND_FEATURES)\ndrivers/vhost/vsock.c-991-\t\t\treturn -EOPNOTSUPP;\n--\ndrivers/vhost/vsock.c=1048=static struct miscdevice vhost_vsock_misc = {\ndrivers/vhost/vsock.c:1049:\t.minor = VHOST_VSOCK_MINOR,\ndrivers/vhost/vsock.c-1050-\t.name = \"vhost-vsock\",\n--\ndrivers/vhost/vsock.c=1082=MODULE_DESCRIPTION(\"vhost transport for vsock \");\ndrivers/vhost/vsock.c:1083:MODULE_ALIAS_MISCDEV(VHOST_VSOCK_MINOR);\ndrivers/vhost/vsock.c-1084-MODULE_ALIAS(\"devname:vhost-vsock\");\n"
} |
| 5/2 | 2026/06/25 16:18 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6187 output: 151 thoughts: 1105 Thoughts: **Analysis of the vhost-vsock Patch** Okay, so this patch is aimed squarely at the `drivers/vhost/vsock.c` file. My initial impression is that it's functional and introduces a few significant changes. First, a `started` flag is added to the `vhost_vsock` struct. This is smart; they're changing the logic in `vhost_transport_send_pkt` to rely on this `started` flag instead of just checking for a non-NULL backend. This is cleaner and makes the control flow more explicit. The `vhost_vsock_start` function now sets this `started` flag, which makes sense. The most interesting part is the addition of `vhost_vsock_reset_owner`. This is clearly in response to handling the `VHOST_RESET_OWNER` ioctl. Previously, this was handled by a generic handler, but now, it has dedicated logic for vsock. The patch also introduces `vhost_vsock_drop_backends`, called from both `vhost_vsock_stop` and `vhost_vsock_reset_owner`. This suggests a careful cleanup procedure when the device is stopped or reset. The patch is definitely reachable; the vhost-vsock driver is exposed via `/dev/vhost-vsock` ioctls. I see that `vhost_vsock_dev_ioctl` handles `VHOST_RESET_OWNER` now, instead of the default ioctl handler. I'm focusing on the explicit handling of `VHOST_RESET_OWNER`. I've checked the `Kconfig` file, and `CONFIG_VHOST_VSOCK` is the relevant config option. I need to decide which functions are the key ones to focus on for fuzzing. I initially looked at `vhost_vsock_reset_owner`, `vhost_vsock_dev_ioctl`, `vhost_vsock_start`, `vhost_vsock_stop`, `vhost_transport_send_pkt`, and `vhost_transport_cancel_pkt`, but `vhost_transport_send_pkt` and `vhost_transport_cancel_pkt` are hot-path, so I will avoid them. So, the key functions are `vhost_vsock_reset_owner`, `vhost_vsock_dev_ioctl`, `vhost_vsock_start`, and `vhost_vsock_stop`. Looking at the implementation of `vhost_vsock_reset_owner`, it's clear this warrants fuzzing. It handles owner reset, including synchronization, backend dropping, flushing, device stopping, and reset. The code looks correct, but it's complex enough to benefit from fuzzing. I've confirmed that `vhost_vsock_dev_ioctl` is the entry point for the `/dev/vhost-vsock` ioctl handling, which confirms `VHOST_RESET_OWNER` is reachable. I've also checked the config dependencies, and `VHOST_VSOCK` depends on `VHOST` and `VSOCKETS`, but listing `VHOST_VSOCK` is sufficient. My conclusion is that this patch is definitely worth fuzzing. I'll focus on the functions: `vhost_vsock_reset_owner`, `vhost_vsock_start`, `vhost_vsock_stop`, and also include `vhost_vsock_dev_ioctl` as an entry point. The primary config is `VHOST_VSOCK`. The main reason to fuzz is that the patch explicitly handles the `VHOST_RESET_OWNER` ioctl, adding a new `vhost_vsock_reset_owner` function, and modifies the packet-sending logic. These changes are reachable from userspace through `/dev/vhost-vsock` ioctls. |
| 6/2 | 2026/06/25 16:18 | tool | set-results |
0mArgs:{
"EnableConfigs": [
"VHOST_VSOCK"
],
"FocusSymbols": [
"vhost_vsock_reset_owner",
"vhost_vsock_start",
"vhost_vsock_stop",
"vhost_vsock_dev_ioctl"
],
"Reasoning": "The patch modifies the vhost-vsock driver to handle the VHOST_RESET_OWNER ioctl explicitly, adding a new vhost_vsock_reset_owner function and modifying the packet sending logic to handle device stop/reset correctly. This is reachable from userspace via /dev/vhost-vsock ioctls.",
"WorthFuzzing": true
}Results: {
"EnableConfigs": [
"VHOST_VSOCK"
],
"FocusSymbols": [
"vhost_vsock_reset_owner",
"vhost_vsock_start",
"vhost_vsock_stop",
"vhost_vsock_dev_ioctl"
],
"Reasoning": "The patch modifies the vhost-vsock driver to handle the VHOST_RESET_OWNER ioctl explicitly, adding a new vhost_vsock_reset_owner function and modifying the packet sending logic to handle device stop/reset correctly. This is reachable from userspace via /dev/vhost-vsock ioctls.",
"WorthFuzzing": true
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|