--- /dev/null
+From 5f344d809e015fba3709e5219428c00b8ac5d7df Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 8 May 2026 18:44:10 +0200
+Subject: vsock/virtio: fix length and offset in tap skb for split packets
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream.
+
+virtio_transport_build_skb() builds a new skb to be delivered to the
+vsockmon tap device. To build the new skb, it uses the original skb
+data length as payload length, but as the comment notes, the original
+packet stored in the skb may have been split in multiple packets, so we
+need to use the length in the header, which is correctly updated before
+the packet is delivered to the tap, and the offset for the data.
+
+This was also similar to what we did before commit 71dc9ec9ac7d
+("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably
+missed something during the skb conversion.
+
+Also update the comment above, which was left stale by the skb
+conversion and still mentioned a buffer pointer that no longer exists.
+
+Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
+Reviewed-by: Arseniy Krasnov <avkrasnov@rulkc.org>
+Link: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[LL: Fixed conflict since this tree does not use the offset added by commit
+ 0df7cd3c13e4 ("vsock/virtio/vhost: read data from non-linear skb")]
+Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -122,12 +122,12 @@ static struct sk_buff *virtio_transport_
+ size_t payload_len;
+ void *payload_buf;
+
+- /* A packet could be split to fit the RX buffer, so we can retrieve
+- * the payload length from the header and the buffer pointer taking
+- * care of the offset in the original packet.
++ /* A packet could be split to fit the RX buffer, so we use
++ * the payload length from the header, which has been updated
++ * by the sender to reflect the fragment size.
+ */
+ pkt_hdr = virtio_vsock_hdr(pkt);
+- payload_len = pkt->len;
++ payload_len = le32_to_cpu(pkt_hdr->len);
+ payload_buf = pkt->data;
+
+ skb = alloc_skb(sizeof(*hdr) + sizeof(*pkt_hdr) + payload_len,
--- /dev/null
+From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 30 Apr 2026 12:26:52 +0000
+Subject: vsock/virtio: fix potential unbounded skb queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream.
+
+virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
+
+virtio_transport_recv_enqueue() skips coalescing for packets
+with VIRTIO_VSOCK_SEQ_EOM.
+
+If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
+a very large number of packets can be queued
+because vvs->rx_bytes stays at 0.
+
+Fix this by estimating the skb metadata size:
+
+ (Number of skbs in the queue) * SKB_TRUESIZE(0)
+
+Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: "Eugenio PĂ©rez" <eperezma@redhat.com>
+Cc: virtualization@lists.linux.dev
+Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[LL: Fixed conflict since this tree does not use buf_used added by commit
+ 45ca7e9f0730 ("vsock/virtio: fix `rx_bytes` accounting for stream sockets")]
+Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -283,7 +283,9 @@ static int virtio_transport_send_pkt_inf
+ static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
+ u32 len)
+ {
+- if (vvs->rx_bytes + len > vvs->buf_alloc)
++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
++
++ if (skb_overhead + vvs->rx_bytes + len > vvs->buf_alloc)
+ return false;
+
+ vvs->rx_bytes += len;
projects / thirdparty / kernel / stable-queue.git / commitdiff
