--- /dev/null
+From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 30 Apr 2026 12:26:52 +0000
+Subject: vsock/virtio: fix potential unbounded skb queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream.
+
+virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
+
+virtio_transport_recv_enqueue() skips coalescing for packets
+with VIRTIO_VSOCK_SEQ_EOM.
+
+If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
+a very large number of packets can be queued
+because vvs->rx_bytes stays at 0.
+
+Fix this by estimating the skb metadata size:
+
+ (Number of skbs in the queue) * SKB_TRUESIZE(0)
+
+Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: "Eugenio PĂ©rez" <eperezma@redhat.com>
+Cc: virtualization@lists.linux.dev
+Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -425,7 +425,9 @@ static int virtio_transport_send_pkt_inf
+ static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
+ u32 len)
+ {
+- if (vvs->buf_used + len > vvs->buf_alloc)
++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
++
++ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
+ return false;
+
+ vvs->rx_bytes += len;
--- /dev/null
+From c6087c5aaad6d1b8be1a1a641e0a422218ade911 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 18 May 2026 11:06:56 +0200
+Subject: vsock/virtio: fix skb overhead accounting to preserve full buf_alloc
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit c6087c5aaad6d1b8be1a1a641e0a422218ade911 upstream.
+
+After commit 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb
+queue"), virtio_transport_inc_rx_pkt() subtracts per-skb overhead from
+buf_alloc when checking whether a new packet fits. This reduces the
+effective receive buffer below what the user configured via
+SO_VM_SOCKETS_BUFFER_SIZE, causing legitimate data packets to be
+silently dropped and applications that rely on the full buffer size
+to deadlock.
+
+Also, the reduced space is not communicated to the remote peer, so
+its credit calculation accounts more credit than the receiver will
+actually accept, causing data loss (there is no retransmission).
+
+With this approach we currently have failures in
+tools/testing/vsock/vsock_test.c. Test 18 sometimes fails, while
+test 22 always fails in this way:
+ 18 - SOCK_STREAM MSG_ZEROCOPY...hash mismatch
+
+ 22 - SOCK_STREAM virtio credit update + SO_RCVLOWAT...send failed:
+ Resource temporarily unavailable
+
+Fix by allowing at most `buf_alloc * 2` as the total budget for payload
+plus skb overhead in virtio_transport_inc_rx_pkt(), similar to how
+SO_RCVBUF is doubled to reserve space for sk_buff metadata.
+This preserves the full buf_alloc for payload under normal operation,
+while still bounding the skb queue growth.
+
+With this patch, all tests in tools/testing/vsock/vsock_test.c are
+now passing again.
+
+Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260518090656.134588-3-sgarzare@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -427,7 +427,14 @@ static bool virtio_transport_inc_rx_pkt(
+ {
+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
+
+- if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
++ /* Allow at most buf_alloc * 2 total budget (payload + overhead),
++ * similar to how SO_RCVBUF is doubled to reserve space for sk_buff
++ * metadata. Check payload against buf_alloc to be sure the other
++ * peer is respecting the credit, and sk_buff overhead to bound
++ * queue growth.
++ */
++ if ((u64)vvs->buf_used + len > vvs->buf_alloc ||
++ skb_overhead > vvs->buf_alloc)
+ return false;
+
+ vvs->rx_bytes += len;
projects / thirdparty / kernel / stable-queue.git / commitdiff
