From: Greg Kroah-Hartman Date: Tue, 16 Jun 2026 09:50:50 +0000 (+0530) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=52f8678ff94b19b6bfe19d3ecaf3c2513a2cddc1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: vsock-virtio-fix-potential-unbounded-skb-queue.patch vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch --- diff --git a/queue-6.18/series b/queue-6.18/series index 755a9f543a..b0801a3c56 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -315,3 +315,5 @@ rdma-umem-fix-kernel-doc-warnings.patch rdma-move-dma-block-iterator-logic-into-dedicated-files.patch rdma-umem-fix-truncation-for-block-sizes-4g.patch ipvs-skip-ipv6-extension-headers-for-csum-checks.patch +vsock-virtio-fix-potential-unbounded-skb-queue.patch +vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch diff --git a/queue-6.18/vsock-virtio-fix-potential-unbounded-skb-queue.patch b/queue-6.18/vsock-virtio-fix-potential-unbounded-skb-queue.patch new file mode 100644 index 0000000000..b3fbe6700b --- /dev/null +++ b/queue-6.18/vsock-virtio-fix-potential-unbounded-skb-queue.patch @@ -0,0 +1,55 @@ +From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 30 Apr 2026 12:26:52 +0000 +Subject: vsock/virtio: fix potential unbounded skb queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream. + +virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. + +virtio_transport_recv_enqueue() skips coalescing for packets +with VIRTIO_VSOCK_SEQ_EOM. + +If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, +a very large number of packets can be queued +because vvs->rx_bytes stays at 0. + +Fix this by estimating the skb metadata size: + + (Number of skbs in the queue) * SKB_TRUESIZE(0) + +Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") +Signed-off-by: Eric Dumazet +Cc: Arseniy Krasnov +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Xuan Zhuo +Cc: "Eugenio Pérez" +Cc: virtualization@lists.linux.dev +Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -425,7 +425,9 @@ static int virtio_transport_send_pkt_inf + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- if (vvs->buf_used + len > vvs->buf_alloc) ++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); ++ ++ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len; diff --git a/queue-6.18/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch b/queue-6.18/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch new file mode 100644 index 0000000000..84ddefe59d --- /dev/null +++ b/queue-6.18/vsock-virtio-fix-skb-overhead-accounting-to-preserve-full-buf_alloc.patch @@ -0,0 +1,66 @@ +From c6087c5aaad6d1b8be1a1a641e0a422218ade911 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 18 May 2026 11:06:56 +0200 +Subject: vsock/virtio: fix skb overhead accounting to preserve full buf_alloc + +From: Stefano Garzarella + +commit c6087c5aaad6d1b8be1a1a641e0a422218ade911 upstream. + +After commit 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb +queue"), virtio_transport_inc_rx_pkt() subtracts per-skb overhead from +buf_alloc when checking whether a new packet fits. This reduces the +effective receive buffer below what the user configured via +SO_VM_SOCKETS_BUFFER_SIZE, causing legitimate data packets to be +silently dropped and applications that rely on the full buffer size +to deadlock. + +Also, the reduced space is not communicated to the remote peer, so +its credit calculation accounts more credit than the receiver will +actually accept, causing data loss (there is no retransmission). + +With this approach we currently have failures in +tools/testing/vsock/vsock_test.c. Test 18 sometimes fails, while +test 22 always fails in this way: + 18 - SOCK_STREAM MSG_ZEROCOPY...hash mismatch + + 22 - SOCK_STREAM virtio credit update + SO_RCVLOWAT...send failed: + Resource temporarily unavailable + +Fix by allowing at most `buf_alloc * 2` as the total budget for payload +plus skb overhead in virtio_transport_inc_rx_pkt(), similar to how +SO_RCVBUF is doubled to reserve space for sk_buff metadata. +This preserves the full buf_alloc for payload under normal operation, +while still bounding the skb queue growth. + +With this patch, all tests in tools/testing/vsock/vsock_test.c are +now passing again. + +Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260518090656.134588-3-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -427,7 +427,14 @@ static bool virtio_transport_inc_rx_pkt( + { + u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); + +- if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) ++ /* Allow at most buf_alloc * 2 total budget (payload + overhead), ++ * similar to how SO_RCVBUF is doubled to reserve space for sk_buff ++ * metadata. Check payload against buf_alloc to be sure the other ++ * peer is respecting the credit, and sk_buff overhead to bound ++ * queue growth. ++ */ ++ if ((u64)vvs->buf_used + len > vvs->buf_alloc || ++ skb_overhead > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len;