From 75bb694641e2846138d9765cc6bb69c3d485fefd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 15 May 2026 17:21:53 +0200 Subject: [PATCH] 6.6-stable patches added patches: vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch vsock-virtio-fix-potential-unbounded-skb-queue.patch --- queue-6.6/series | 2 + ...-offset-in-tap-skb-for-split-packets.patch | 57 ++++++++++++++++++ ...io-fix-potential-unbounded-skb-queue.patch | 58 +++++++++++++++++++ 3 files changed, 117 insertions(+) create mode 100644 queue-6.6/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch create mode 100644 queue-6.6/vsock-virtio-fix-potential-unbounded-skb-queue.patch diff --git a/queue-6.6/series b/queue-6.6/series index 17677e9fb4..4e0986c77f 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -463,3 +463,5 @@ ceph-only-d_add-negative-dentries-when-they-are-unhashed.patch kvm-arm64-wake-up-from-wfi-when-iqrchip-is-in-userspace.patch vsock-fix-buffer-size-clamping-order.patch vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch +vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch +vsock-virtio-fix-potential-unbounded-skb-queue.patch diff --git a/queue-6.6/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch b/queue-6.6/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch new file mode 100644 index 0000000000..e832bd1ef4 --- /dev/null +++ b/queue-6.6/vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch @@ -0,0 +1,57 @@ +From 5f344d809e015fba3709e5219428c00b8ac5d7df Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 8 May 2026 18:44:10 +0200 +Subject: vsock/virtio: fix length and offset in tap skb for split packets + +From: Stefano Garzarella + +commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream. + +virtio_transport_build_skb() builds a new skb to be delivered to the +vsockmon tap device. To build the new skb, it uses the original skb +data length as payload length, but as the comment notes, the original +packet stored in the skb may have been split in multiple packets, so we +need to use the length in the header, which is correctly updated before +the packet is delivered to the tap, and the offset for the data. + +This was also similar to what we did before commit 71dc9ec9ac7d +("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably +missed something during the skb conversion. + +Also update the comment above, which was left stale by the skb +conversion and still mentioned a buffer pointer that no longer exists. + +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Signed-off-by: Stefano Garzarella +Reviewed-by: Bobby Eshleman +Reviewed-by: Arseniy Krasnov +Link: https://patch.msgid.link/20260508164411.261440-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +[LL: Fixed conflict since this tree does not use the offset added by commit + 0df7cd3c13e4 ("vsock/virtio/vhost: read data from non-linear skb")] +Signed-off-by: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -122,12 +122,12 @@ static struct sk_buff *virtio_transport_ + size_t payload_len; + void *payload_buf; + +- /* A packet could be split to fit the RX buffer, so we can retrieve +- * the payload length from the header and the buffer pointer taking +- * care of the offset in the original packet. ++ /* A packet could be split to fit the RX buffer, so we use ++ * the payload length from the header, which has been updated ++ * by the sender to reflect the fragment size. + */ + pkt_hdr = virtio_vsock_hdr(pkt); +- payload_len = pkt->len; ++ payload_len = le32_to_cpu(pkt_hdr->len); + payload_buf = pkt->data; + + skb = alloc_skb(sizeof(*hdr) + sizeof(*pkt_hdr) + payload_len, diff --git a/queue-6.6/vsock-virtio-fix-potential-unbounded-skb-queue.patch b/queue-6.6/vsock-virtio-fix-potential-unbounded-skb-queue.patch new file mode 100644 index 0000000000..531a253b8c --- /dev/null +++ b/queue-6.6/vsock-virtio-fix-potential-unbounded-skb-queue.patch @@ -0,0 +1,58 @@ +From 059b7dbd20a6f0c539a45ddff1573cb8946685b5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 30 Apr 2026 12:26:52 +0000 +Subject: vsock/virtio: fix potential unbounded skb queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 059b7dbd20a6f0c539a45ddff1573cb8946685b5 upstream. + +virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. + +virtio_transport_recv_enqueue() skips coalescing for packets +with VIRTIO_VSOCK_SEQ_EOM. + +If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, +a very large number of packets can be queued +because vvs->rx_bytes stays at 0. + +Fix this by estimating the skb metadata size: + + (Number of skbs in the queue) * SKB_TRUESIZE(0) + +Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") +Signed-off-by: Eric Dumazet +Cc: Arseniy Krasnov +Cc: Stefan Hajnoczi +Cc: Stefano Garzarella +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Xuan Zhuo +Cc: "Eugenio Pérez" +Cc: virtualization@lists.linux.dev +Link: https://patch.msgid.link/20260430122653.554058-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[LL: Fixed conflict since this tree does not use buf_used added by commit + 45ca7e9f0730 ("vsock/virtio: fix `rx_bytes` accounting for stream sockets")] +Signed-off-by: Luigi Leonardi +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -283,7 +283,9 @@ static int virtio_transport_send_pkt_inf + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- if (vvs->rx_bytes + len > vvs->buf_alloc) ++ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); ++ ++ if (skb_overhead + vvs->rx_bytes + len > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len; -- 2.47.3