From: Greg Kroah-Hartman Date: Wed, 17 Jun 2026 02:51:25 +0000 (+0530) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a70e705964e754111e9fbacf80449c67379237e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: vsock-virtio-fix-skb-overhead-overflow-on-32-bit-builds.patch --- diff --git a/queue-6.18/series b/queue-6.18/series index 166b69dbe2..cd13138e41 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -323,3 +323,4 @@ arm64-errata-mitigate-tlbi-errata-on-various-arm-cpus.patch arm64-errata-mitigate-tlbi-errata-on-nvidia-olympus-cpu.patch arm64-errata-mitigate-tlbi-errata-on-microsoft-azure-cobalt-100-cpu.patch block-fix-handling-of-dead-zone-write-plugs.patch +vsock-virtio-fix-skb-overhead-overflow-on-32-bit-builds.patch diff --git a/queue-6.18/vsock-virtio-fix-skb-overhead-overflow-on-32-bit-builds.patch b/queue-6.18/vsock-virtio-fix-skb-overhead-overflow-on-32-bit-builds.patch new file mode 100644 index 0000000000..ee9fcc23f4 --- /dev/null +++ b/queue-6.18/vsock-virtio-fix-skb-overhead-overflow-on-32-bit-builds.patch @@ -0,0 +1,41 @@ +From 4157501b9a8ff1bbe32ff5a7d8aece7ab18eff40 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Thu, 21 May 2026 14:47:32 +0200 +Subject: vsock/virtio: fix skb overhead overflow on 32-bit builds + +From: Stefano Garzarella + +commit 4157501b9a8ff1bbe32ff5a7d8aece7ab18eff40 upstream. + +On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate +to 32-bit values. The multiplication can overflow before being assigned to +the u64 skb_overhead variable, making the skb overhead check ineffective. + +Cast skb_queue_len() to u64 so the multiplication is always performed in +64-bit arithmetic. + +This issue was reported by Sashiko while reviewing another patch. + +Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") +Closes: https://sashiko.dev/#/patchset/20260518090656.134588-1-sgarzare%40redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://patch.msgid.link/20260521124732.125771-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -425,7 +425,7 @@ static int virtio_transport_send_pkt_inf + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); ++ u64 skb_overhead = ((u64)skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); + + /* Allow at most buf_alloc * 2 total budget (payload + overhead), + * similar to how SO_RCVBUF is doubled to reserve space for sk_buff