2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
linux/net/vmw_vsock
Will Deacon 7fb1291257 vsock/virtio: Fix message iterator handling on transmit path
Commit 6693731487 ("vsock/virtio: Allocate nonlinear SKBs for handling
large transmit buffers") converted the virtio vsock transmit path to
utilise nonlinear SKBs when handling large buffers. As part of this
change, virtio_transport_fill_skb() was updated to call
skb_copy_datagram_from_iter() instead of memcpy_from_msg() as the latter
expects a single destination buffer and cannot handle nonlinear SKBs
correctly.

Unfortunately, during this conversion, I overlooked the error case when
the copying function returns -EFAULT due to a fault on the input buffer
in userspace. In this case, memcpy_from_msg() reverts the iterator to
its initial state thanks to copy_from_iter_full() whereas
skb_copy_datagram_from_iter() leaves the iterator partially advanced.
This results in a WARN_ONCE() from the vsock code, which expects the
iterator to stay in sync with the number of bytes transmitted so that
virtio_transport_send_pkt_info() can return -EFAULT when it is called
again:

  ------------[ cut here ]------------
  'send_pkt()' returns 0, but 65536 expected
  WARNING: CPU: 0 PID: 5503 at net/vmw_vsock/virtio_transport_common.c:428 virtio_transport_send_pkt_info+0xd11/0xf00 net/vmw_vsock/virtio_transport_common.c:426
  Modules linked in:
  CPU: 0 UID: 0 PID: 5503 Comm: syz.0.17 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call virtio_transport_fill_skb_full() to restore the previous iterator
behaviour.

Cc: Jason Wang <jasowang@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Fixes: 6693731487 ("vsock/virtio: Allocate nonlinear SKBs for handling large transmit buffers")
Reported-by: syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Link: https://patch.msgid.link/20250818180355.29275-3-will@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-08-21 17:49:19 -07:00
..
af_vsock_tap.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
af_vsock.c vsock: Do not allow binding to VMADDR_PORT_ANY 2025-08-08 12:55:00 -07:00
diag.c sock_diag: add module pointer to "struct sock_diag_handler" 2024-01-23 15:13:54 +01:00
hyperv_transport.c hv_sock: Return the readable bytes in hvs_stream_has_data() 2025-07-09 19:29:52 -07:00
Kconfig vsock: add vsock_loopback transport 2019-12-11 15:01:23 -08:00
Makefile vsock: support sockmap 2023-03-29 08:19:38 +01:00
virtio_transport_common.c vsock/virtio: Fix message iterator handling on transmit path 2025-08-21 17:49:19 -07:00
virtio_transport.c vsock/virtio: Rename virtio_vsock_skb_rx_put() 2025-08-01 09:11:09 -04:00
vmci_transport_notify_qstate.c vmci/vsock: check SO_RCVLOWAT before wake up reader 2022-08-23 10:43:12 +02:00
vmci_transport_notify.c vmci/vsock: check SO_RCVLOWAT before wake up reader 2022-08-23 10:43:12 +02:00
vmci_transport_notify.h vsock: remove include/linux/vm_sockets.h file 2019-11-14 18:12:17 -08:00
vmci_transport.c vsock/vmci: Clear the vmci transport packet properly when initializing it 2025-07-03 12:52:52 +02:00
vmci_transport.h vsock: Remove unused function declarations 2023-07-31 14:41:08 -07:00
vsock_addr.c vsock_addr: Check for supported flag values 2020-12-14 19:33:39 -08:00
vsock_bpf.c vsock/bpf: Warn on socket without transport 2025-02-18 12:00:01 +01:00
vsock_loopback.c vsock/virtio: add SIOCOUTQ support for all virtio based transports 2024-08-02 09:20:28 +01:00