tracing-fprobe-unregister-fprobe-even-if-memory-allocation-fails.patch
tracing-fprobe-remove-fprobe-from-hash-in-failure-path.patch
batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch
+vsock-fix-buffer-size-clamping-order.patch
+vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch
+vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch
+vsock-virtio-fix-potential-unbounded-skb-queue.patch
+vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
--- /dev/null
+From d114bfdc9b76bf93b881e195b7ec957c14227bab Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Thu, 9 Apr 2026 18:34:12 +0200
+Subject: vsock: fix buffer size clamping order
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
+
+In vsock_update_buffer_size(), the buffer size was being clamped to the
+maximum first, and then to the minimum. If a user sets a minimum buffer
+size larger than the maximum, the minimum check overrides the maximum
+check, inverting the constraint.
+
+This breaks the intended socket memory boundaries by allowing the
+vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
+
+Fix this by checking the minimum first, and then the maximum. This
+ensures the buffer size never exceeds the buffer_max_size.
+
+Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1846,12 +1846,12 @@ static void vsock_update_buffer_size(str
+ const struct vsock_transport *transport,
+ u64 val)
+ {
+- if (val > vsk->buffer_max_size)
+- val = vsk->buffer_max_size;
+-
+ if (val < vsk->buffer_min_size)
+ val = vsk->buffer_min_size;
+
++ if (val > vsk->buffer_max_size)
++ val = vsk->buffer_max_size;
++
+ if (val != vsk->buffer_size &&
+ transport && transport->notify_buffer_size)
+ transport->notify_buffer_size(vsk, &val);
--- /dev/null
+From 52bcb57a4e8a0865a76c587c2451906342ae1b2d Mon Sep 17 00:00:00 2001
+From: Dudu Lu <phx0fer@gmail.com>
+Date: Mon, 13 Apr 2026 21:14:09 +0800
+Subject: vsock/virtio: fix accept queue count leak on transport mismatch
+
+From: Dudu Lu <phx0fer@gmail.com>
+
+commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream.
+
+virtio_transport_recv_listen() calls sk_acceptq_added() before
+vsock_assign_transport(). If vsock_assign_transport() fails or
+selects a different transport, the error path returns without
+calling sk_acceptq_removed(), permanently incrementing
+sk_ack_backlog.
+
+After approximately backlog+1 such failures, sk_acceptq_is_full()
+returns true, causing the listener to reject all new connections.
+
+Fix by moving sk_acceptq_added() to after the transport validation,
+matching the pattern used by vmci_transport and hyperv_transport.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Signed-off-by: Dudu Lu <phx0fer@gmail.com>
+Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://patch.msgid.link/20260413131409.19022-1-phx0fer@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1530,8 +1530,6 @@ virtio_transport_recv_listen(struct sock
+ return -ENOMEM;
+ }
+
+- sk_acceptq_added(sk);
+-
+ lock_sock_nested(child, SINGLE_DEPTH_NESTING);
+
+ child->sk_state = TCP_ESTABLISHED;
+@@ -1553,6 +1551,7 @@ virtio_transport_recv_listen(struct sock
+ return ret;
+ }
+
++ sk_acceptq_added(sk);
+ if (virtio_transport_space_update(child, skb))
+ child->sk_write_space(child);
+
--- /dev/null
+From 3a3e3d90cbc79600544536723911657730759af3 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 8 May 2026 18:44:11 +0200
+Subject: vsock/virtio: fix empty payload in tap skb for non-linear buffers
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 3a3e3d90cbc79600544536723911657730759af3 upstream.
+
+For non-linear skbs, virtio_transport_build_skb() goes through
+virtio_transport_copy_nonlinear_skb() to copy the original payload
+in the new skb to be delivered to the vsockmon tap device.
+This manually initializes an iov_iter but does not set iov_iter.count.
+Since the iov_iter is zero-initialized, the copy length is zero and no
+payload is actually copied to the monitor interface, leaving data
+un-initialized.
+
+Fix this by removing the linear vs non-linear split and using
+skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as
+vhost-vsock already does. This handles both linear and non-linear skbs,
+properly initializes the iov_iter, and removes the now unused
+virtio_transport_copy_nonlinear_skb().
+
+While touching this code, let's also check the return value of
+skb_copy_datagram_iter(), even though it's unlikely to fail.
+
+Fixes: 4b0bf10eb077 ("vsock/virtio: non-linear skb handling for tap")
+Reported-by: Yiqi Sun <sunyiqixm@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
+Reviewed-by: Arseniy Krasnov <avkrasnov@rulkc.org>
+Link: https://patch.msgid.link/20260508164411.261440-3-sgarzare@redhat.com
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 40 +++++++++-----------------------
+ 1 file changed, 12 insertions(+), 28 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -139,27 +139,6 @@ static void virtio_transport_init_hdr(st
+ hdr->fwd_cnt = cpu_to_le32(0);
+ }
+
+-static void virtio_transport_copy_nonlinear_skb(const struct sk_buff *skb,
+- void *dst,
+- size_t len)
+-{
+- struct iov_iter iov_iter = { 0 };
+- struct kvec kvec;
+- size_t to_copy;
+-
+- kvec.iov_base = dst;
+- kvec.iov_len = len;
+-
+- iov_iter.iter_type = ITER_KVEC;
+- iov_iter.kvec = &kvec;
+- iov_iter.nr_segs = 1;
+-
+- to_copy = min_t(size_t, len, skb->len);
+-
+- skb_copy_datagram_iter(skb, VIRTIO_VSOCK_SKB_CB(skb)->offset,
+- &iov_iter, to_copy);
+-}
+-
+ /* Packet capture */
+ static struct sk_buff *virtio_transport_build_skb(void *opaque)
+ {
+@@ -217,13 +196,18 @@ static struct sk_buff *virtio_transport_
+ skb_put_data(skb, pkt_hdr, sizeof(*pkt_hdr));
+
+ if (payload_len) {
+- if (skb_is_nonlinear(pkt)) {
+- void *data = skb_put(skb, payload_len);
+-
+- virtio_transport_copy_nonlinear_skb(pkt, data, payload_len);
+- } else {
+- skb_put_data(skb, pkt->data + VIRTIO_VSOCK_SKB_CB(pkt)->offset,
+- payload_len);
++ struct iov_iter iov_iter;
++ struct kvec kvec;
++ void *data = skb_put(skb, payload_len);
++
++ kvec.iov_base = data;
++ kvec.iov_len = payload_len;
++ iov_iter_kvec(&iov_iter, ITER_DEST, &kvec, 1, payload_len);
++
++ if (skb_copy_datagram_iter(pkt, VIRTIO_VSOCK_SKB_CB(pkt)->offset,
++ &iov_iter, payload_len)) {
++ kfree_skb(skb);
++ return NULL;
+ }
+ }
+
--- /dev/null
+From 5f344d809e015fba3709e5219428c00b8ac5d7df Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 8 May 2026 18:44:10 +0200
+Subject: vsock/virtio: fix length and offset in tap skb for split packets
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream.
+
+virtio_transport_build_skb() builds a new skb to be delivered to the
+vsockmon tap device. To build the new skb, it uses the original skb
+data length as payload length, but as the comment notes, the original
+packet stored in the skb may have been split in multiple packets, so we
+need to use the length in the header, which is correctly updated before
+the packet is delivered to the tap, and the offset for the data.
+
+This was also similar to what we did before commit 71dc9ec9ac7d
+("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably
+missed something during the skb conversion.
+
+Also update the comment above, which was left stale by the skb
+conversion and still mentioned a buffer pointer that no longer exists.
+
+Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
+Reviewed-by: Arseniy Krasnov <avkrasnov@rulkc.org>
+Link: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -169,12 +169,12 @@ static struct sk_buff *virtio_transport_
+ struct sk_buff *skb;
+ size_t payload_len;
+
+- /* A packet could be split to fit the RX buffer, so we can retrieve
+- * the payload length from the header and the buffer pointer taking
+- * care of the offset in the original packet.
++ /* A packet could be split to fit the RX buffer, so we use
++ * the payload length from the header, which has been updated
++ * by the sender to reflect the fragment size.
+ */
+ pkt_hdr = virtio_vsock_hdr(pkt);
+- payload_len = pkt->len;
++ payload_len = le32_to_cpu(pkt_hdr->len);
+
+ skb = alloc_skb(sizeof(*hdr) + sizeof(*pkt_hdr) + payload_len,
+ GFP_ATOMIC);
+@@ -222,7 +222,8 @@ static struct sk_buff *virtio_transport_
+
+ virtio_transport_copy_nonlinear_skb(pkt, data, payload_len);
+ } else {
+- skb_put_data(skb, pkt->data, payload_len);
++ skb_put_data(skb, pkt->data + VIRTIO_VSOCK_SKB_CB(pkt)->offset,
++ payload_len);
+ }
+ }
+
--- /dev/null
+From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 30 Apr 2026 12:26:52 +0000
+Subject: vsock/virtio: fix potential unbounded skb queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream.
+
+virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
+
+virtio_transport_recv_enqueue() skips coalescing for packets
+with VIRTIO_VSOCK_SEQ_EOM.
+
+If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
+a very large number of packets can be queued
+because vvs->rx_bytes stays at 0.
+
+Fix this by estimating the skb metadata size:
+
+ (Number of skbs in the queue) * SKB_TRUESIZE(0)
+
+Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: "Eugenio PĂ©rez" <eperezma@redhat.com>
+Cc: virtualization@lists.linux.dev
+Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -429,7 +429,9 @@ static int virtio_transport_send_pkt_inf
+ static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
+ u32 len)
+ {
+- if (vvs->buf_used + len > vvs->buf_alloc)
++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
++
++ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
+ return false;
+
+ vvs->rx_bytes += len;
projects / thirdparty / kernel / stable-queue.git / commitdiff
