vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy

`virtio_transport_stream_do_peek()` does not account for the skb offset
when computing the number of bytes to copy.

This means that, after a partial recv() that advances the offset, a peek
requesting more bytes than are available in the sk_buff causes
`skb_copy_datagram_iter()` to go past the valid payload, resulting in
a -EFAULT.

The dequeue path already handles this correctly.
Apply the same logic to the peek path.

Fixes: 0df7cd3c13e4 ("vsock/virtio/vhost: read data from non-linear skb")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Link: https://patch.msgid.link/20260415-fix_peek-v4-1-8207e872759e@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index e96e9893b21b0d8d61b2134e6d20e660730f672f..0742091beae7cf74f4cc3dbf5054a456b64ab2cf 100644 (file)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -545,9 +545,8 @@ virtio_transport_stream_do_peek(struct vsock_sock *vsk,
        skb_queue_walk(&vvs->rx_queue, skb) {
                size_t bytes;
 
-               bytes = len - total;
-               if (bytes > skb->len)
-                       bytes = skb->len;
+               bytes = min_t(size_t, len - total,
+                             skb->len - VIRTIO_VSOCK_SKB_CB(skb)->offset);
 
                spin_unlock_bh(&vvs->rx_lock);