<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/vmw_vsock, branch linux-6.11.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>virtio/vsock: Improve MSG_ZEROCOPY error handling</title>
<updated>2024-11-22T14:39:48+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-11-07T20:46:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=50061d7319e21165d04e3024354c1b43b6137821'/>
<id>50061d7319e21165d04e3024354c1b43b6137821</id>
<content type='text'>
[ Upstream commit 60cf6206a1f513512f5d73fa4d3dbbcad2e7dcd6 ]

Add a missing kfree_skb() to prevent memory leaks.

Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Acked-by: Arseniy Krasnov &lt;avkrasnov@salutedevices.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 60cf6206a1f513512f5d73fa4d3dbbcad2e7dcd6 ]

Add a missing kfree_skb() to prevent memory leaks.

Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Acked-by: Arseniy Krasnov &lt;avkrasnov@salutedevices.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vsock: Fix sk_error_queue memory leak</title>
<updated>2024-11-22T14:39:48+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-11-07T20:46:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bea4779a45f49275b1e1b1bd9de03cd3727244d8'/>
<id>bea4779a45f49275b1e1b1bd9de03cd3727244d8</id>
<content type='text'>
[ Upstream commit fbf7085b3ad1c7cc0677834c90f985f1b4f77a33 ]

Kernel queues MSG_ZEROCOPY completion notifications on the error queue.
Where they remain, until explicitly recv()ed. To prevent memory leaks,
clean up the queue when the socket is destroyed.

unreferenced object 0xffff8881028beb00 (size 224):
  comm "vsock_test", pid 1218, jiffies 4294694897
  hex dump (first 32 bytes):
    90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff  ..!.......!.....
    00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff  ..........!.....
  backtrace (crc 6c7031ca):
    [&lt;ffffffff81418ef7&gt;] kmem_cache_alloc_node_noprof+0x2f7/0x370
    [&lt;ffffffff81d35882&gt;] __alloc_skb+0x132/0x180
    [&lt;ffffffff81d2d32b&gt;] sock_omalloc+0x4b/0x80
    [&lt;ffffffff81d3a8ae&gt;] msg_zerocopy_realloc+0x9e/0x240
    [&lt;ffffffff81fe5cb2&gt;] virtio_transport_send_pkt_info+0x412/0x4c0
    [&lt;ffffffff81fe6183&gt;] virtio_transport_stream_enqueue+0x43/0x50
    [&lt;ffffffff81fe0813&gt;] vsock_connectible_sendmsg+0x373/0x450
    [&lt;ffffffff81d233d5&gt;] ____sys_sendmsg+0x365/0x3a0
    [&lt;ffffffff81d246f4&gt;] ___sys_sendmsg+0x84/0xd0
    [&lt;ffffffff81d26f47&gt;] __sys_sendmsg+0x47/0x80
    [&lt;ffffffff820d3df3&gt;] do_syscall_64+0x93/0x180
    [&lt;ffffffff8220012b&gt;] entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: Arseniy Krasnov &lt;avkrasnov@salutedevices.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fbf7085b3ad1c7cc0677834c90f985f1b4f77a33 ]

Kernel queues MSG_ZEROCOPY completion notifications on the error queue.
Where they remain, until explicitly recv()ed. To prevent memory leaks,
clean up the queue when the socket is destroyed.

unreferenced object 0xffff8881028beb00 (size 224):
  comm "vsock_test", pid 1218, jiffies 4294694897
  hex dump (first 32 bytes):
    90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff  ..!.......!.....
    00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff  ..........!.....
  backtrace (crc 6c7031ca):
    [&lt;ffffffff81418ef7&gt;] kmem_cache_alloc_node_noprof+0x2f7/0x370
    [&lt;ffffffff81d35882&gt;] __alloc_skb+0x132/0x180
    [&lt;ffffffff81d2d32b&gt;] sock_omalloc+0x4b/0x80
    [&lt;ffffffff81d3a8ae&gt;] msg_zerocopy_realloc+0x9e/0x240
    [&lt;ffffffff81fe5cb2&gt;] virtio_transport_send_pkt_info+0x412/0x4c0
    [&lt;ffffffff81fe6183&gt;] virtio_transport_stream_enqueue+0x43/0x50
    [&lt;ffffffff81fe0813&gt;] vsock_connectible_sendmsg+0x373/0x450
    [&lt;ffffffff81d233d5&gt;] ____sys_sendmsg+0x365/0x3a0
    [&lt;ffffffff81d246f4&gt;] ___sys_sendmsg+0x84/0xd0
    [&lt;ffffffff81d26f47&gt;] __sys_sendmsg+0x47/0x80
    [&lt;ffffffff820d3df3&gt;] do_syscall_64+0x93/0x180
    [&lt;ffffffff8220012b&gt;] entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: Arseniy Krasnov &lt;avkrasnov@salutedevices.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>virtio/vsock: Fix accept_queue memory leak</title>
<updated>2024-11-22T14:39:48+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-11-07T20:46:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2415345042245de7601dcc6eafdbe3a3dcc9e379'/>
<id>2415345042245de7601dcc6eafdbe3a3dcc9e379</id>
<content type='text'>
[ Upstream commit d7b0ff5a866724c3ad21f2628c22a63336deec3f ]

As the final stages of socket destruction may be delayed, it is possible
that virtio_transport_recv_listen() will be called after the accept_queue
has been flushed, but before the SOCK_DONE flag has been set. As a result,
sockets enqueued after the flush would remain unremoved, leading to a
memory leak.

vsock_release
  __vsock_release
    lock
    virtio_transport_release
      virtio_transport_close
        schedule_delayed_work(close_work)
    sk_shutdown = SHUTDOWN_MASK
(!) flush accept_queue
    release
                                        virtio_transport_recv_pkt
                                          vsock_find_bound_socket
                                          lock
                                          if flag(SOCK_DONE) return
                                          virtio_transport_recv_listen
                                            child = vsock_create_connected
                                      (!)   vsock_enqueue_accept(child)
                                          release
close_work
  lock
  virtio_transport_do_close
    set_flag(SOCK_DONE)
    virtio_transport_remove_sock
      vsock_remove_sock
        vsock_remove_bound
  release

Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
socket destruction.

unreferenced object 0xffff888109e3f800 (size 2040):
  comm "kworker/5:2", pid 371, jiffies 4294940105
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00  (..@............
  backtrace (crc 9e5f4e84):
    [&lt;ffffffff81418ff1&gt;] kmem_cache_alloc_noprof+0x2c1/0x360
    [&lt;ffffffff81d27aa0&gt;] sk_prot_alloc+0x30/0x120
    [&lt;ffffffff81d2b54c&gt;] sk_alloc+0x2c/0x4b0
    [&lt;ffffffff81fe049a&gt;] __vsock_create.constprop.0+0x2a/0x310
    [&lt;ffffffff81fe6d6c&gt;] virtio_transport_recv_pkt+0x4dc/0x9a0
    [&lt;ffffffff81fe745d&gt;] vsock_loopback_work+0xfd/0x140
    [&lt;ffffffff810fc6ac&gt;] process_one_work+0x20c/0x570
    [&lt;ffffffff810fce3f&gt;] worker_thread+0x1bf/0x3a0
    [&lt;ffffffff811070dd&gt;] kthread+0xdd/0x110
    [&lt;ffffffff81044fdd&gt;] ret_from_fork+0x2d/0x50
    [&lt;ffffffff8100785a&gt;] ret_from_fork_asm+0x1a/0x30

Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d7b0ff5a866724c3ad21f2628c22a63336deec3f ]

As the final stages of socket destruction may be delayed, it is possible
that virtio_transport_recv_listen() will be called after the accept_queue
has been flushed, but before the SOCK_DONE flag has been set. As a result,
sockets enqueued after the flush would remain unremoved, leading to a
memory leak.

vsock_release
  __vsock_release
    lock
    virtio_transport_release
      virtio_transport_close
        schedule_delayed_work(close_work)
    sk_shutdown = SHUTDOWN_MASK
(!) flush accept_queue
    release
                                        virtio_transport_recv_pkt
                                          vsock_find_bound_socket
                                          lock
                                          if flag(SOCK_DONE) return
                                          virtio_transport_recv_listen
                                            child = vsock_create_connected
                                      (!)   vsock_enqueue_accept(child)
                                          release
close_work
  lock
  virtio_transport_do_close
    set_flag(SOCK_DONE)
    virtio_transport_remove_sock
      vsock_remove_sock
        vsock_remove_bound
  release

Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
socket destruction.

unreferenced object 0xffff888109e3f800 (size 2040):
  comm "kworker/5:2", pid 371, jiffies 4294940105
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00  (..@............
  backtrace (crc 9e5f4e84):
    [&lt;ffffffff81418ff1&gt;] kmem_cache_alloc_noprof+0x2c1/0x360
    [&lt;ffffffff81d27aa0&gt;] sk_prot_alloc+0x30/0x120
    [&lt;ffffffff81d2b54c&gt;] sk_alloc+0x2c/0x4b0
    [&lt;ffffffff81fe049a&gt;] __vsock_create.constprop.0+0x2a/0x310
    [&lt;ffffffff81fe6d6c&gt;] virtio_transport_recv_pkt+0x4dc/0x9a0
    [&lt;ffffffff81fe745d&gt;] vsock_loopback_work+0xfd/0x140
    [&lt;ffffffff810fc6ac&gt;] process_one_work+0x20c/0x570
    [&lt;ffffffff810fce3f&gt;] worker_thread+0x1bf/0x3a0
    [&lt;ffffffff811070dd&gt;] kthread+0xdd/0x110
    [&lt;ffffffff81044fdd&gt;] ret_from_fork+0x2d/0x50
    [&lt;ffffffff8100785a&gt;] ret_from_fork_asm+0x1a/0x30

Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vsock/virtio: Initialization of the dangling pointer occurring in vsk-&gt;trans</title>
<updated>2024-11-14T12:21:16+00:00</updated>
<author>
<name>Hyunwoo Kim</name>
<email>v4bel@theori.io</email>
</author>
<published>2024-10-22T07:32:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5f970935d09934222fdef3d0e20c648ea7a963c1'/>
<id>5f970935d09934222fdef3d0e20c648ea7a963c1</id>
<content type='text'>
commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream.

During loopback communication, a dangling pointer can be created in
vsk-&gt;trans, potentially leading to a Use-After-Free condition.  This
issue is resolved by initializing vsk-&gt;trans to NULL.

Cc: stable &lt;stable@kernel.org&gt;
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Signed-off-by: Hyunwoo Kim &lt;v4bel@theori.io&gt;
Signed-off-by: Wongi Lee &lt;qwerty@theori.io&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Message-Id: &lt;2024102245-strive-crib-c8d3@gregkh&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream.

During loopback communication, a dangling pointer can be created in
vsk-&gt;trans, potentially leading to a Use-After-Free condition.  This
issue is resolved by initializing vsk-&gt;trans to NULL.

Cc: stable &lt;stable@kernel.org&gt;
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Signed-off-by: Hyunwoo Kim &lt;v4bel@theori.io&gt;
Signed-off-by: Wongi Lee &lt;qwerty@theori.io&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Message-Id: &lt;2024102245-strive-crib-c8d3@gregkh&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hv_sock: Initializing vsk-&gt;trans to NULL to prevent a dangling pointer</title>
<updated>2024-11-14T12:21:16+00:00</updated>
<author>
<name>Hyunwoo Kim</name>
<email>v4bel@theori.io</email>
</author>
<published>2024-11-06T09:36:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e0fe3392371293175f25028020ded5267f4cd8e3'/>
<id>e0fe3392371293175f25028020ded5267f4cd8e3</id>
<content type='text'>
commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream.

When hvs is released, there is a possibility that vsk-&gt;trans may not
be initialized to NULL, which could lead to a dangling pointer.
This issue is resolved by initializing vsk-&gt;trans to NULL.

Signed-off-by: Hyunwoo Kim &lt;v4bel@theori.io&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream.

When hvs is released, there is a possibility that vsk-&gt;trans may not
be initialized to NULL, which could lead to a dangling pointer.
This issue is resolved by initializing vsk-&gt;trans to NULL.

Signed-off-by: Hyunwoo Kim &lt;v4bel@theori.io&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>bpf, vsock: Drop static vsock_bpf_prot initialization</title>
<updated>2024-11-01T01:02:32+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-10-13T16:26:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=063f48a28a8fad11d1b6abc914cdaa259afdaf43'/>
<id>063f48a28a8fad11d1b6abc914cdaa259afdaf43</id>
<content type='text'>
[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ]

vsock_bpf_prot is set up at runtime. Remove the superfluous init.

No functional change intended.

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 19039f279797efbe044cae41ee216c5fe481fc33 ]

vsock_bpf_prot is set up at runtime. Remove the superfluous init.

No functional change intended.

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-4-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vsock: Update msg_count on read_skb()</title>
<updated>2024-11-01T01:02:32+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-10-13T16:26:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eea4bc9e5b418143dca68c313613c6aaf56d2beb'/>
<id>eea4bc9e5b418143dca68c313613c6aaf56d2beb</id>
<content type='text'>
[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ]

Dequeuing via vsock_transport::read_skb() left msg_count outdated, which
then confused SOCK_SEQPACKET recv(). Decrease the counter.

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6dafde852df8de3617d4b9f835b629aaeaccd01d ]

Dequeuing via vsock_transport::read_skb() left msg_count outdated, which
then confused SOCK_SEQPACKET recv(). Decrease the counter.

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-3-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vsock: Update rx_bytes on read_skb()</title>
<updated>2024-11-01T01:02:31+00:00</updated>
<author>
<name>Michal Luczaj</name>
<email>mhal@rbox.co</email>
</author>
<published>2024-10-13T16:26:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5ca2b98090b4bb1c393088c724af6c37812a829'/>
<id>e5ca2b98090b4bb1c393088c724af6c37812a829</id>
<content type='text'>
[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ]

Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()
calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after
vsock_transport::read_skb().

While here, also inform the peer that we've freed up space and it has more
credit.

Failing to update rx_bytes after packet is dequeued leads to a warning on
SOCK_STREAM recv():

[  233.396654] rx_queue is empty, but rx_bytes is non-zero
[  233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Suggested-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 3543152f2d330141d9394d28855cb90b860091d2 ]

Make sure virtio_transport_inc_rx_pkt() and virtio_transport_dec_rx_pkt()
calls are balanced (i.e. virtio_vsock_sock::rx_bytes doesn't lie) after
vsock_transport::read_skb().

While here, also inform the peer that we've freed up space and it has more
credit.

Failing to update rx_bytes after packet is dequeued leads to a warning on
SOCK_STREAM recv():

[  233.396654] rx_queue is empty, but rx_bytes is non-zero
[  233.396702] WARNING: CPU: 11 PID: 40601 at net/vmw_vsock/virtio_transport_common.c:589

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Suggested-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Michal Luczaj &lt;mhal@rbox.co&gt;
Signed-off-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Reviewed-by: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Acked-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Link: https://lore.kernel.org/bpf/20241013-vsock-fixes-for-redir-v2-2-d6577bbfe742@rbox.co
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vsock: fix recursive -&gt;recvmsg calls</title>
<updated>2024-08-15T10:07:04+00:00</updated>
<author>
<name>Cong Wang</name>
<email>cong.wang@bytedance.com</email>
</author>
<published>2024-08-12T02:21:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=69139d2919dd4aa9a553c8245e7c63e82613e3fc'/>
<id>69139d2919dd4aa9a553c8245e7c63e82613e3fc</id>
<content type='text'>
After a vsock socket has been added to a BPF sockmap, its prot-&gt;recvmsg
has been replaced with vsock_bpf_recvmsg(). Thus the following
recursiion could happen:

vsock_bpf_recvmsg()
 -&gt; __vsock_recvmsg()
  -&gt; vsock_connectible_recvmsg()
   -&gt; prot-&gt;recvmsg()
    -&gt; vsock_bpf_recvmsg() again

We need to fix it by calling the original -&gt;recvmsg() without any BPF
sockmap logic in __vsock_recvmsg().

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Reported-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Tested-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Cc: Bobby Eshleman &lt;bobby.eshleman@bytedance.com&gt;
Cc: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Cc: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Cong Wang &lt;cong.wang@bytedance.com&gt;
Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Link: https://patch.msgid.link/20240812022153.86512-1-xiyou.wangcong@gmail.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After a vsock socket has been added to a BPF sockmap, its prot-&gt;recvmsg
has been replaced with vsock_bpf_recvmsg(). Thus the following
recursiion could happen:

vsock_bpf_recvmsg()
 -&gt; __vsock_recvmsg()
  -&gt; vsock_connectible_recvmsg()
   -&gt; prot-&gt;recvmsg()
    -&gt; vsock_bpf_recvmsg() again

We need to fix it by calling the original -&gt;recvmsg() without any BPF
sockmap logic in __vsock_recvmsg().

Fixes: 634f1a7110b4 ("vsock: support sockmap")
Reported-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Tested-by: syzbot+bdb4bd87b5e22058e2a4@syzkaller.appspotmail.com
Cc: Bobby Eshleman &lt;bobby.eshleman@bytedance.com&gt;
Cc: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Cc: Stefano Garzarella &lt;sgarzare@redhat.com&gt;
Signed-off-by: Cong Wang &lt;cong.wang@bytedance.com&gt;
Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Link: https://patch.msgid.link/20240812022153.86512-1-xiyou.wangcong@gmail.com
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>virtio: rename virtio_find_vqs_info() to virtio_find_vqs()</title>
<updated>2024-07-17T09:20:58+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@nvidia.com</email>
</author>
<published>2024-07-08T07:48:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c85d6b653caeba2ef982925703cbb4f2b3b3163'/>
<id>6c85d6b653caeba2ef982925703cbb4f2b3b3163</id>
<content type='text'>
Since the original virtio_find_vqs() is no longer present, rename
virtio_find_vqs_info() back to virtio_find_vqs().

Signed-off-by: Jiri Pirko &lt;jiri@nvidia.com&gt;
Message-Id: &lt;20240708074814.1739223-20-jiri@resnulli.us&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Since the original virtio_find_vqs() is no longer present, rename
virtio_find_vqs_info() back to virtio_find_vqs().

Signed-off-by: Jiri Pirko &lt;jiri@nvidia.com&gt;
Message-Id: &lt;20240708074814.1739223-20-jiri@resnulli.us&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
