virtio: set skb owner of virtio_transport_reset_no_sock() reply

Associate reply packets with the sending socket. When vsock must reply
with an RST packet and there exists a sending socket (e.g., for
loopback), setting the skb owner to the socket correctly handles
reference counting between the skb and sk (i.e., the sk stays alive
until the skb is freed).

This allows the net namespace to be used for socket lookups for the
duration of the reply skb's lifetime, preventing race conditions between
the namespace lifecycle and vsock socket search using the namespace
pointer.

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Bobby Eshleman <bobbyeshleman@meta.com>
Link: https://patch.msgid.link/20260121-vsock-vmtest-v16-2-2859a7512097@meta.com
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index d57e7af6a68d289ef849c342c957a6b31cc69686..72b5959d677cb7eb0904f3c534fa9a92cc813209 100644 (file)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1177,6 +1177,12 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
                .op = VIRTIO_VSOCK_OP_RST,
                .type = le16_to_cpu(hdr->type),
                .reply = true,
+
+               /* Set sk owner to socket we are replying to (may be NULL for
+                * non-loopback). This keeps a reference to the sock and
+                * sock_net(sk) until the reply skb is freed.
+                */
+               .vsk = vsock_sk(skb->sk),
        };
        struct sk_buff *reply;