--- /dev/null
+From 4157501b9a8ff1bbe32ff5a7d8aece7ab18eff40 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Thu, 21 May 2026 14:47:32 +0200
+Subject: vsock/virtio: fix skb overhead overflow on 32-bit builds
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 4157501b9a8ff1bbe32ff5a7d8aece7ab18eff40 upstream.
+
+On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate
+to 32-bit values. The multiplication can overflow before being assigned to
+the u64 skb_overhead variable, making the skb overhead check ineffective.
+
+Cast skb_queue_len() to u64 so the multiplication is always performed in
+64-bit arithmetic.
+
+This issue was reported by Sashiko while reviewing another patch.
+
+Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue")
+Closes: https://sashiko.dev/#/patchset/20260518090656.134588-1-sgarzare%40redhat.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://patch.msgid.link/20260521124732.125771-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -425,7 +425,7 @@ static int virtio_transport_send_pkt_inf
+ static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
+ u32 len)
+ {
+- u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
++ u64 skb_overhead = ((u64)skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
+
+ /* Allow at most buf_alloc * 2 total budget (payload + overhead),
+ * similar to how SO_RCVBUF is doubled to reserve space for sk_buff
projects / thirdparty / kernel / stable-queue.git / commitdiff
