From: Greg Kroah-Hartman Date: Fri, 15 May 2026 15:15:11 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17ec5ebc2f0653ae3fcac4f1b356bad98dfe922e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: vsock-fix-buffer-size-clamping-order.patch vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch vsock-virtio-fix-potential-unbounded-skb-queue.patch --- diff --git a/queue-6.12/series b/queue-6.12/series index eee6494e01..bfaacbc85c 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -135,3 +135,8 @@ btrfs-fix-btrfs_ioctl_space_info-slot_count-toctou-which-can-lead-to-info-leak.p tracing-probes-limit-size-of-event-probe-to-3k.patch batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch batman-adv-tp_meter-fix-tp_num-leak-on-kmalloc-failure.patch +vsock-fix-buffer-size-clamping-order.patch +vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch +vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch +vsock-virtio-fix-potential-unbounded-skb-queue.patch +vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch diff --git a/queue-6.12/vsock-fix-buffer-size-clamping-order.patch b/queue-6.12/vsock-fix-buffer-size-clamping-order.patch new file mode 100644 index 0000000000..5be40956d8 --- /dev/null +++ b/queue-6.12/vsock-fix-buffer-size-clamping-order.patch @@ -0,0 +1,50 @@ +From d114bfdc9b76bf93b881e195b7ec957c14227bab Mon Sep 17 00:00:00 2001 +From: Norbert Szetei +Date: Thu, 9 Apr 2026 18:34:12 +0200 +Subject: vsock: fix buffer size clamping order + +From: Norbert Szetei + +commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream. + +In vsock_update_buffer_size(), the buffer size was being clamped to the +maximum first, and then to the minimum. If a user sets a minimum buffer +size larger than the maximum, the minimum check overrides the maximum +check, inverting the constraint. + +This breaks the intended socket memory boundaries by allowing the +vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. + +Fix this by checking the minimum first, and then the maximum. This +ensures the buffer size never exceeds the buffer_max_size. + +Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core") +Suggested-by: Stefano Garzarella +Signed-off-by: Norbert Szetei +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com +Signed-off-by: Jakub Kicinski +Cc: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1801,12 +1801,12 @@ static void vsock_update_buffer_size(str + const struct vsock_transport *transport, + u64 val) + { +- if (val > vsk->buffer_max_size) +- val = vsk->buffer_max_size; +- + if (val < vsk->buffer_min_size) + val = vsk->buffer_min_size; + ++ if (val > vsk->buffer_max_size) ++ val = vsk->buffer_max_size; ++ + if (val != vsk->buffer_size && + transport && transport->notify_buffer_size) + transport->notify_buffer_size(vsk, &val); diff --git a/queue-6.12/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch b/queue-6.12/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch new file mode 100644 index 0000000000..565b2f4726 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch @@ -0,0 +1,54 @@ +From 52bcb57a4e8a0865a76c587c2451906342ae1b2d Mon Sep 17 00:00:00 2001 +From: Dudu Lu +Date: Mon, 13 Apr 2026 21:14:09 +0800 +Subject: vsock/virtio: fix accept queue count leak on transport mismatch + +From: Dudu Lu + +commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream. + +virtio_transport_recv_listen() calls sk_acceptq_added() before +vsock_assign_transport(). If vsock_assign_transport() fails or +selects a different transport, the error path returns without +calling sk_acceptq_removed(), permanently incrementing +sk_ack_backlog. + +After approximately backlog+1 such failures, sk_acceptq_is_full() +returns true, causing the listener to reject all new connections. + +Fix by moving sk_acceptq_added() to after the transport validation, +matching the pattern used by vmci_transport and hyperv_transport. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Signed-off-by: Dudu Lu +Reviewed-by: Bobby Eshleman +Reviewed-by: Luigi Leonardi +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://patch.msgid.link/20260413131409.19022-1-phx0fer@gmail.com +Signed-off-by: Paolo Abeni +Cc: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1548,8 +1548,6 @@ virtio_transport_recv_listen(struct sock + return -ENOMEM; + } + +- sk_acceptq_added(sk); +- + lock_sock_nested(child, SINGLE_DEPTH_NESTING); + + child->sk_state = TCP_ESTABLISHED; +@@ -1571,6 +1569,7 @@ virtio_transport_recv_listen(struct sock + return ret; + } + ++ sk_acceptq_added(sk); + if (virtio_transport_space_update(child, skb)) + child->sk_write_space(child); + diff --git a/queue-6.12/vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch b/queue-6.12/vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch new file mode 100644 index 0000000000..44309657a9 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-empty-payload-in-tap-skb-for-non-linear-buffers.patch @@ -0,0 +1,96 @@ +From 3a3e3d90cbc79600544536723911657730759af3 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 8 May 2026 18:44:11 +0200 +Subject: vsock/virtio: fix empty payload in tap skb for non-linear buffers + +From: Stefano Garzarella + +commit 3a3e3d90cbc79600544536723911657730759af3 upstream. + +For non-linear skbs, virtio_transport_build_skb() goes through +virtio_transport_copy_nonlinear_skb() to copy the original payload +in the new skb to be delivered to the vsockmon tap device. +This manually initializes an iov_iter but does not set iov_iter.count. +Since the iov_iter is zero-initialized, the copy length is zero and no +payload is actually copied to the monitor interface, leaving data +un-initialized. + +Fix this by removing the linear vs non-linear split and using +skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as +vhost-vsock already does. This handles both linear and non-linear skbs, +properly initializes the iov_iter, and removes the now unused +virtio_transport_copy_nonlinear_skb(). + +While touching this code, let's also check the return value of +skb_copy_datagram_iter(), even though it's unlikely to fail. + +Fixes: 4b0bf10eb077 ("vsock/virtio: non-linear skb handling for tap") +Reported-by: Yiqi Sun +Signed-off-by: Stefano Garzarella +Reviewed-by: Bobby Eshleman +Reviewed-by: Arseniy Krasnov +Link: https://patch.msgid.link/20260508164411.261440-3-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Cc: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 40 +++++++++----------------------- + 1 file changed, 12 insertions(+), 28 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -140,27 +140,6 @@ static void virtio_transport_init_hdr(st + hdr->fwd_cnt = cpu_to_le32(0); + } + +-static void virtio_transport_copy_nonlinear_skb(const struct sk_buff *skb, +- void *dst, +- size_t len) +-{ +- struct iov_iter iov_iter = { 0 }; +- struct kvec kvec; +- size_t to_copy; +- +- kvec.iov_base = dst; +- kvec.iov_len = len; +- +- iov_iter.iter_type = ITER_KVEC; +- iov_iter.kvec = &kvec; +- iov_iter.nr_segs = 1; +- +- to_copy = min_t(size_t, len, skb->len); +- +- skb_copy_datagram_iter(skb, VIRTIO_VSOCK_SKB_CB(skb)->offset, +- &iov_iter, to_copy); +-} +- + /* Packet capture */ + static struct sk_buff *virtio_transport_build_skb(void *opaque) + { +@@ -218,13 +197,18 @@ static struct sk_buff *virtio_transport_ + skb_put_data(skb, pkt_hdr, sizeof(*pkt_hdr)); + + if (payload_len) { +- if (skb_is_nonlinear(pkt)) { +- void *data = skb_put(skb, payload_len); +- +- virtio_transport_copy_nonlinear_skb(pkt, data, payload_len); +- } else { +- skb_put_data(skb, pkt->data + VIRTIO_VSOCK_SKB_CB(pkt)->offset, +- payload_len); ++ struct iov_iter iov_iter; ++ struct kvec kvec; ++ void *data = skb_put(skb, payload_len); ++ ++ kvec.iov_base = data; ++ kvec.iov_len = payload_len; ++ iov_iter_kvec(&iov_iter, ITER_DEST, &kvec, 1, payload_len); ++ ++ if (skb_copy_datagram_iter(pkt, VIRTIO_VSOCK_SKB_CB(pkt)->offset, ++ &iov_iter, payload_len)) { ++ kfree_skb(skb); ++ return NULL; + } + } + diff --git a/queue-6.12/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch b/queue-6.12/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch new file mode 100644 index 0000000000..b233b2296b --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch @@ -0,0 +1,65 @@ +From 5f344d809e015fba3709e5219428c00b8ac5d7df Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 8 May 2026 18:44:10 +0200 +Subject: vsock/virtio: fix length and offset in tap skb for split packets + +From: Stefano Garzarella + +commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream. + +virtio_transport_build_skb() builds a new skb to be delivered to the +vsockmon tap device. To build the new skb, it uses the original skb +data length as payload length, but as the comment notes, the original +packet stored in the skb may have been split in multiple packets, so we +need to use the length in the header, which is correctly updated before +the packet is delivered to the tap, and the offset for the data. + +This was also similar to what we did before commit 71dc9ec9ac7d +("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably +missed something during the skb conversion. + +Also update the comment above, which was left stale by the skb +conversion and still mentioned a buffer pointer that no longer exists. + +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Signed-off-by: Stefano Garzarella +Reviewed-by: Bobby Eshleman +Reviewed-by: Arseniy Krasnov +Link: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Cc: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -170,12 +170,12 @@ static struct sk_buff *virtio_transport_ + struct sk_buff *skb; + size_t payload_len; + +- /* A packet could be split to fit the RX buffer, so we can retrieve +- * the payload length from the header and the buffer pointer taking +- * care of the offset in the original packet. ++ /* A packet could be split to fit the RX buffer, so we use ++ * the payload length from the header, which has been updated ++ * by the sender to reflect the fragment size. + */ + pkt_hdr = virtio_vsock_hdr(pkt); +- payload_len = pkt->len; ++ payload_len = le32_to_cpu(pkt_hdr->len); + + skb = alloc_skb(sizeof(*hdr) + sizeof(*pkt_hdr) + payload_len, + GFP_ATOMIC); +@@ -223,7 +223,8 @@ static struct sk_buff *virtio_transport_ + + virtio_transport_copy_nonlinear_skb(pkt, data, payload_len); + } else { +- skb_put_data(skb, pkt->data, payload_len); ++ skb_put_data(skb, pkt->data + VIRTIO_VSOCK_SKB_CB(pkt)->offset, ++ payload_len); + } + } + diff --git a/queue-6.12/vsock-virtio-fix-potential-unbounded-skb-queue.patch b/queue-6.12/vsock-virtio-fix-potential-unbounded-skb-queue.patch new file mode 100644 index 0000000000..0b995be747 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-potential-unbounded-skb-queue.patch @@ -0,0 +1,56 @@ +From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 30 Apr 2026 12:26:52 +0000 +Subject: vsock/virtio: fix potential unbounded skb queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream. + +virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. + +virtio_transport_recv_enqueue() skips coalescing for packets +with VIRTIO_VSOCK_SEQ_EOM. + +If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, +a very large number of packets can be queued +because vvs->rx_bytes stays at 0. + +Fix this by estimating the skb metadata size: + + (Number of skbs in the queue) * SKB_TRUESIZE(0) + +Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") +Signed-off-by: Eric Dumazet +Cc: Arseniy Krasnov +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Xuan Zhuo +Cc: "Eugenio Pérez" +Cc: virtualization@lists.linux.dev +Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Cc: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -430,7 +430,9 @@ static int virtio_transport_send_pkt_inf + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- if (vvs->buf_used + len > vvs->buf_alloc) ++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); ++ ++ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len;