--- /dev/null
+From stable+bounces-211683-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:45 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:58 -0300
+Subject: net: Introduce skb_copy_datagram_from_iter_full()
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>, Christian Brauner <brauner@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-7-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit b08a784a5d1495c42ff9b0c70887d49211cddfe0]
+
+In a similar manner to copy_from_iter()/copy_from_iter_full(), introduce
+skb_copy_datagram_from_iter_full() which reverts the iterator to its
+initial state when returning an error.
+
+A subsequent fix for a vsock regression will make use of this new
+function.
+
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Will Deacon <will@kernel.org>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Link: https://patch.msgid.link/20250818180355.29275-2-will@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 ++
+ net/core/datagram.c | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -4117,6 +4117,8 @@ int skb_copy_and_hash_datagram_iter(cons
+ struct ahash_request *hash);
+ int skb_copy_datagram_from_iter(struct sk_buff *skb, int offset,
+ struct iov_iter *from, int len);
++int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
++ struct iov_iter *from, int len);
+ int zerocopy_sg_from_iter(struct sk_buff *skb, struct iov_iter *frm);
+ void skb_free_datagram(struct sock *sk, struct sk_buff *skb);
+ int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags);
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -621,6 +621,20 @@ fault:
+ }
+ EXPORT_SYMBOL(skb_copy_datagram_from_iter);
+
++int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
++ struct iov_iter *from, int len)
++{
++ struct iov_iter_state state;
++ int ret;
++
++ iov_iter_save_state(from, &state);
++ ret = skb_copy_datagram_from_iter(skb, offset, from, len);
++ if (ret)
++ iov_iter_restore(from, &state);
++ return ret;
++}
++EXPORT_SYMBOL(skb_copy_datagram_from_iter_full);
++
+ int zerocopy_fill_skb_from_iter(struct sk_buff *skb,
+ struct iov_iter *from, size_t length)
+ {
accel-ivpu-fix-race-condition-when-unbinding-bos.patch
btrfs-fix-racy-bitfield-write-in-btrfs_clear_space_info_full.patch
wifi-ath11k-fix-rcu-stall-while-reaping-monitor-destination-ring.patch
+vsock-virtio-move-length-check-to-callers-of-virtio_vsock_skb_rx_put.patch
+vsock-virtio-rename-virtio_vsock_alloc_skb.patch
+vsock-virtio-move-skb-allocation-lower-bound-check-to-callers.patch
+vsock-virtio-rename-virtio_vsock_skb_rx_put.patch
+vhost-vsock-allocate-nonlinear-skbs-for-handling-large-receive-buffers.patch
+vsock-virtio-allocate-nonlinear-skbs-for-handling-large-transmit-buffers.patch
+net-introduce-skb_copy_datagram_from_iter_full.patch
+vsock-virtio-fix-message-iterator-handling-on-transmit-path.patch
--- /dev/null
+From stable+bounces-211682-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:48 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:56 -0300
+Subject: vhost/vsock: Allocate nonlinear SKBs for handling large receive buffers
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-5-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit ab9aa2f3afc2713c14f6c4c6b90c9a0933b837f1]
+
+When receiving a packet from a guest, vhost_vsock_handle_tx_kick()
+calls vhost_vsock_alloc_linear_skb() to allocate and fill an SKB with
+the receive data. Unfortunately, these are always linear allocations and
+can therefore result in significant pressure on kmalloc() considering
+that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE +
+VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB
+allocation for each packet.
+
+Rework the vsock SKB allocation so that, for sizes with page order
+greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated
+instead with the packet header in the SKB and the receive data in the
+fragments. Finally, add a debug warning if virtio_vsock_skb_rx_put() is
+ever called on an SKB with a non-zero length, as this would be
+destructive for the nonlinear case.
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-8-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 8 +++-----
+ include/linux/virtio_vsock.h | 32 +++++++++++++++++++++++++++++---
+ 2 files changed, 32 insertions(+), 8 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -350,7 +350,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+ return NULL;
+
+ /* len contains both payload and hdr */
+- skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL);
++ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
+ if (!skb)
+ return NULL;
+
+@@ -379,10 +379,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+
+ virtio_vsock_skb_put(skb, payload_len);
+
+- nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
+- if (nbytes != payload_len) {
+- vq_err(vq, "Expected %zu byte payload, got %zu bytes\n",
+- payload_len, nbytes);
++ if (skb_copy_datagram_from_iter(skb, 0, &iov_iter, payload_len)) {
++ vq_err(vq, "Failed to copy %zu byte payload\n", payload_len);
+ kfree_skb(skb);
+ return NULL;
+ }
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -49,22 +49,48 @@ static inline void virtio_vsock_skb_clea
+
+ static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len)
+ {
+- skb_put(skb, len);
++ DEBUG_NET_WARN_ON_ONCE(skb->len);
++
++ if (skb_is_nonlinear(skb))
++ skb->len = len;
++ else
++ skb_put(skb, len);
+ }
+
+ static inline struct sk_buff *
+-virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
++__virtio_vsock_alloc_skb_with_frags(unsigned int header_len,
++ unsigned int data_len,
++ gfp_t mask)
+ {
+ struct sk_buff *skb;
++ int err;
+
+- skb = alloc_skb(size, mask);
++ skb = alloc_skb_with_frags(header_len, data_len,
++ PAGE_ALLOC_COSTLY_ORDER, &err, mask);
+ if (!skb)
+ return NULL;
+
+ skb_reserve(skb, VIRTIO_VSOCK_SKB_HEADROOM);
++ skb->data_len = data_len;
+ return skb;
+ }
+
++static inline struct sk_buff *
++virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
++{
++ return __virtio_vsock_alloc_skb_with_frags(size, 0, mask);
++}
++
++static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
++{
++ if (size <= SKB_WITH_OVERHEAD(PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
++ return virtio_vsock_alloc_linear_skb(size, mask);
++
++ size -= VIRTIO_VSOCK_SKB_HEADROOM;
++ return __virtio_vsock_alloc_skb_with_frags(VIRTIO_VSOCK_SKB_HEADROOM,
++ size, mask);
++}
++
+ static inline void
+ virtio_vsock_skb_queue_head(struct sk_buff_head *list, struct sk_buff *skb)
+ {
--- /dev/null
+From stable+bounces-211684-greg=kroah.com@vger.kernel.org Mon Jan 26 21:19:13 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:57 -0300
+Subject: vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-6-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit 6693731487a8145a9b039bc983d77edc47693855]
+
+When transmitting a vsock packet, virtio_transport_send_pkt_info() calls
+virtio_transport_alloc_linear_skb() to allocate and fill SKBs with the
+transmit data. Unfortunately, these are always linear allocations and
+can therefore result in significant pressure on kmalloc() considering
+that the maximum packet size (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE +
+VIRTIO_VSOCK_SKB_HEADROOM) is a little over 64KiB, resulting in a 128KiB
+allocation for each packet.
+
+Rework the vsock SKB allocation so that, for sizes with page order
+greater than PAGE_ALLOC_COSTLY_ORDER, a nonlinear SKB is allocated
+instead with the packet header in the SKB and the transmit data in the
+fragments. Note that this affects both the vhost and virtio transports.
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-10-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -111,7 +111,8 @@ static int virtio_transport_fill_skb(str
+ &info->msg->msg_iter,
+ len);
+
+- return memcpy_from_msg(skb_put(skb, len), info->msg, len);
++ virtio_vsock_skb_put(skb, len);
++ return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len);
+ }
+
+ static void virtio_transport_init_hdr(struct sk_buff *skb,
+@@ -263,7 +264,7 @@ static struct sk_buff *virtio_transport_
+ if (!zcopy)
+ skb_len += payload_len;
+
+- skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL);
++ skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL);
+ if (!skb)
+ return NULL;
+
--- /dev/null
+From stable+bounces-211685-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:55 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:59 -0300
+Subject: vsock/virtio: Fix message iterator handling on transmit path
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>, syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-8-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit 7fb1291257ea1e27dbc3f34c6a37b4d640aafdd7]
+
+Commit 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling
+large transmit buffers") converted the virtio vsock transmit path to
+utilise nonlinear SKBs when handling large buffers. As part of this
+change, virtio_transport_fill_skb() was updated to call
+skb_copy_datagram_from_iter() instead of memcpy_from_msg() as the latter
+expects a single destination buffer and cannot handle nonlinear SKBs
+correctly.
+
+Unfortunately, during this conversion, I overlooked the error case when
+the copying function returns -EFAULT due to a fault on the input buffer
+in userspace. In this case, memcpy_from_msg() reverts the iterator to
+its initial state thanks to copy_from_iter_full() whereas
+skb_copy_datagram_from_iter() leaves the iterator partially advanced.
+This results in a WARN_ONCE() from the vsock code, which expects the
+iterator to stay in sync with the number of bytes transmitted so that
+virtio_transport_send_pkt_info() can return -EFAULT when it is called
+again:
+
+ ------------[ cut here ]------------
+ 'send_pkt()' returns 0, but 65536 expected
+ WARNING: CPU: 0 PID: 5503 at net/vmw_vsock/virtio_transport_common.c:428 virtio_transport_send_pkt_info+0xd11/0xf00 net/vmw_vsock/virtio_transport_common.c:426
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 5503 Comm: syz.0.17 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+
+Call virtio_transport_fill_skb_full() to restore the previous iterator
+behaviour.
+
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Fixes: 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers")
+Reported-by: syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Link: https://patch.msgid.link/20250818180355.29275-3-will@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[halves: adjust __zerocopy_sg_from_iter() parameters]
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -106,13 +106,15 @@ static int virtio_transport_fill_skb(str
+ size_t len,
+ bool zcopy)
+ {
++ struct msghdr *msg = info->msg;
++
+ if (zcopy)
+- return __zerocopy_sg_from_iter(info->msg, NULL, skb,
+- &info->msg->msg_iter,
++ return __zerocopy_sg_from_iter(msg, NULL, skb,
++ &msg->msg_iter,
+ len);
+
+ virtio_vsock_skb_put(skb, len);
+- return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len);
++ return skb_copy_datagram_from_iter_full(skb, 0, &msg->msg_iter, len);
+ }
+
+ static void virtio_transport_init_hdr(struct sk_buff *skb,
--- /dev/null
+From stable+bounces-211680-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:33 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:52 -0300
+Subject: vsock/virtio: Move length check to callers of virtio_vsock_skb_rx_put()
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-1-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit 87dbae5e36613a6020f3d64a2eaeac0a1e0e6dc6]
+
+virtio_vsock_skb_rx_put() only calls skb_put() if the length in the
+packet header is not zero even though skb_put() handles this case
+gracefully.
+
+Remove the functionally redundant check from virtio_vsock_skb_rx_put()
+and, on the assumption that this is a worthwhile optimisation for
+handling credit messages, augment the existing length checks in
+virtio_transport_rx_work() to elide the call for zero-length payloads.
+Since the callers all have the length, extend virtio_vsock_skb_rx_put()
+to take it as an additional parameter rather than fish it back out of
+the packet header.
+
+Note that the vhost code already has similar logic in
+vhost_vsock_alloc_skb().
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-4-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 2 +-
+ include/linux/virtio_vsock.h | 9 ++-------
+ net/vmw_vsock/virtio_transport.c | 4 +++-
+ 3 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -376,7 +376,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+ return NULL;
+ }
+
+- virtio_vsock_skb_rx_put(skb);
++ virtio_vsock_skb_rx_put(skb, payload_len);
+
+ nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
+ if (nbytes != payload_len) {
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -47,14 +47,9 @@ static inline void virtio_vsock_skb_clea
+ VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false;
+ }
+
+-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb)
++static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len)
+ {
+- u32 len;
+-
+- len = le32_to_cpu(virtio_vsock_hdr(skb)->len);
+-
+- if (len > 0)
+- skb_put(skb, len);
++ skb_put(skb, len);
+ }
+
+ static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -656,7 +656,9 @@ static void virtio_transport_rx_work(str
+ continue;
+ }
+
+- virtio_vsock_skb_rx_put(skb);
++ if (payload_len)
++ virtio_vsock_skb_rx_put(skb, payload_len);
++
+ virtio_transport_deliver_tap_pkt(skb);
+ virtio_transport_recv_pkt(&virtio_transport, skb);
+ }
--- /dev/null
+From stable+bounces-211678-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:32 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:54 -0300
+Subject: vsock/virtio: Move SKB allocation lower-bound check to callers
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-3-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit fac6b82e0f3eaca33c8c67ec401681b21143ae17]
+
+virtio_vsock_alloc_linear_skb() checks that the requested size is at
+least big enough for the packet header (VIRTIO_VSOCK_SKB_HEADROOM).
+
+Of the three callers of virtio_vsock_alloc_linear_skb(), only
+vhost_vsock_alloc_skb() can potentially pass a packet smaller than the
+header size and, as it already has a check against the maximum packet
+size, extend its bounds checking to consider the minimum packet size
+and remove the check from virtio_vsock_alloc_linear_skb().
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-7-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 3 ++-
+ include/linux/virtio_vsock.h | 3 ---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -345,7 +345,8 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+
+ len = iov_length(vq->iov, out);
+
+- if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
++ if (len < VIRTIO_VSOCK_SKB_HEADROOM ||
++ len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
+ return NULL;
+
+ /* len contains both payload and hdr */
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -57,9 +57,6 @@ virtio_vsock_alloc_linear_skb(unsigned i
+ {
+ struct sk_buff *skb;
+
+- if (size < VIRTIO_VSOCK_SKB_HEADROOM)
+- return NULL;
+-
+ skb = alloc_skb(size, mask);
+ if (!skb)
+ return NULL;
--- /dev/null
+From stable+bounces-211677-greg=kroah.com@vger.kernel.org Mon Jan 26 21:18:33 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:53 -0300
+Subject: vsock/virtio: Rename virtio_vsock_alloc_skb()
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-2-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit 2304c64a2866c58534560c63dc6e79d09b8f8d8d]
+
+In preparation for nonlinear allocations for large SKBs, rename
+virtio_vsock_alloc_skb() to virtio_vsock_alloc_linear_skb() to indicate
+that it returns linear SKBs unconditionally and switch all callers over
+to this new interface for now.
+
+No functional change.
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-6-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 2 +-
+ include/linux/virtio_vsock.h | 3 ++-
+ net/vmw_vsock/virtio_transport.c | 2 +-
+ net/vmw_vsock/virtio_transport_common.c | 2 +-
+ 4 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -349,7 +349,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+ return NULL;
+
+ /* len contains both payload and hdr */
+- skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
++ skb = virtio_vsock_alloc_linear_skb(len, GFP_KERNEL);
+ if (!skb)
+ return NULL;
+
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -52,7 +52,8 @@ static inline void virtio_vsock_skb_rx_p
+ skb_put(skb, len);
+ }
+
+-static inline struct sk_buff *virtio_vsock_alloc_skb(unsigned int size, gfp_t mask)
++static inline struct sk_buff *
++virtio_vsock_alloc_linear_skb(unsigned int size, gfp_t mask)
+ {
+ struct sk_buff *skb;
+
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -316,7 +316,7 @@ static void virtio_vsock_rx_fill(struct
+ vq = vsock->vqs[VSOCK_VQ_RX];
+
+ do {
+- skb = virtio_vsock_alloc_skb(total_len, GFP_KERNEL);
++ skb = virtio_vsock_alloc_linear_skb(total_len, GFP_KERNEL);
+ if (!skb)
+ break;
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -263,7 +263,7 @@ static struct sk_buff *virtio_transport_
+ if (!zcopy)
+ skb_len += payload_len;
+
+- skb = virtio_vsock_alloc_skb(skb_len, GFP_KERNEL);
++ skb = virtio_vsock_alloc_linear_skb(skb_len, GFP_KERNEL);
+ if (!skb)
+ return NULL;
+
--- /dev/null
+From stable+bounces-211681-greg=kroah.com@vger.kernel.org Mon Jan 26 21:19:03 2026
+From: Heitor Alves de Siqueira <halves@igalia.com>
+Date: Mon, 26 Jan 2026 17:16:55 -0300
+Subject: vsock/virtio: Rename virtio_vsock_skb_rx_put()
+To: stable@vger.kernel.org, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Eugenio Pérez" <eperezma@redhat.com>, "Xuan Zhuo" <xuanzhuo@linux.alibaba.com>, "David S. Miller" <davem@davemloft.net>, "Eric Dumazet" <edumazet@google.com>, "Jakub Kicinski" <kuba@kernel.org>, "Paolo Abeni" <pabeni@redhat.com>, "Simon Horman" <horms@kernel.org>, "Will Deacon" <will@kernel.org>
+Cc: kernel-dev@igalia.com, Heitor Alves de Siqueira <halves@igalia.com>
+Message-ID: <20260126-backport-vsock-nonlinear-skb-6-12-v1-4-ad5c34853a60@igalia.com>
+
+From: Will Deacon <will@kernel.org>
+
+[Upstream commit 8ca76151d2c8219edea82f1925a2a25907ff6a9d]
+
+In preparation for using virtio_vsock_skb_rx_put() when populating SKBs
+on the vsock TX path, rename virtio_vsock_skb_rx_put() to
+virtio_vsock_skb_put().
+
+No functional change.
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-9-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 2 +-
+ include/linux/virtio_vsock.h | 2 +-
+ net/vmw_vsock/virtio_transport.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -377,7 +377,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+ return NULL;
+ }
+
+- virtio_vsock_skb_rx_put(skb, payload_len);
++ virtio_vsock_skb_put(skb, payload_len);
+
+ nbytes = copy_from_iter(skb->data, payload_len, &iov_iter);
+ if (nbytes != payload_len) {
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -47,7 +47,7 @@ static inline void virtio_vsock_skb_clea
+ VIRTIO_VSOCK_SKB_CB(skb)->tap_delivered = false;
+ }
+
+-static inline void virtio_vsock_skb_rx_put(struct sk_buff *skb, u32 len)
++static inline void virtio_vsock_skb_put(struct sk_buff *skb, u32 len)
+ {
+ skb_put(skb, len);
+ }
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -657,7 +657,7 @@ static void virtio_transport_rx_work(str
+ }
+
+ if (payload_len)
+- virtio_vsock_skb_rx_put(skb, payload_len);
++ virtio_vsock_skb_put(skb, payload_len);
+
+ virtio_transport_deliver_tap_pkt(skb);
+ virtio_transport_recv_pkt(&virtio_transport, skb);
projects / thirdparty / kernel / stable-queue.git / commitdiff
