From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A37BF37FF7F for ; Mon, 25 May 2026 12:42:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779712931; cv=none; b=fYZWCViDAxfFzPwa8zU8aU02IYR5ROC/wOQRf7yFyzF/LGExdGUMpe36QTP4g46r68bwvK4Y2UP6Xhth999SmjYhNU3A7HBAv5wT1+ak9tCborMp0M/De/98rCS5YsEzgkkQatbqPx/cA5WeyHKLnkmQt8YOj362+M24EHRe19o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779712931; c=relaxed/simple; bh=nBZFB/qKiQFEmkpum3LmDBV+XZABkX4tDlOB6EU6g/4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SL0r3DgxRLDY8DCnY1VoUy9Gr4UGQpfbjt6/jfsY/dmscqyqMDn38oOtr/bK+Z+UA6LQsDU7+8F7bp6llJcMQZvj8XZuh2ty0kR74eoOfniqQVkNhzoVu0xRH+CzLKfHxKYHMv16saqSSekcQJcDLfw0V63qvmue9EdQBJNx9IE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=BOYnkIol; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=VoKsHsT+; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="BOYnkIol"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="VoKsHsT+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1779712929; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=C2mO9ihHPbnXM6c2+MtWPyD/ZxOr74sqrY+NK7spw+c=; b=BOYnkIolC/QsgdcBu0A7lXkN/AnR+4FlBO9j+CToxSx2HqeeSMTCbnCYbHoEWO9hnoQ5/v 9MRrhskAbrtAhzPT3X/+hmxQaMveaL2RjmFnDcSthfVVT6xvcq2tu3YHepXsGbD94zB/w4 85qIDlNrlBFKa+CiWSaEclZLhJoIArY= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-663-HEY6u1MwNTOPhWyPWAr7Og-1; Mon, 25 May 2026 08:42:07 -0400 X-MC-Unique: HEY6u1MwNTOPhWyPWAr7Og-1 X-Mimecast-MFC-AGG-ID: HEY6u1MwNTOPhWyPWAr7Og_1779712926 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-44a52d5e572so6706517f8f.3 for ; Mon, 25 May 2026 05:42:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1779712926; x=1780317726; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=C2mO9ihHPbnXM6c2+MtWPyD/ZxOr74sqrY+NK7spw+c=; b=VoKsHsT+E9v36NgANdIVDxnzvmPXBdCzjU182ePme/onYYVA+/QIX1cRo3OSvMcrQW Hayz8BQq8zdvo4QkHcpz589X3Lgjv57CqBO2YnEHh4u/kGKYltHLLXzgwXhmDKqh/8+v jO6v45NmFodBqyFBHAODgDWQomU4D4KW3ZzJ60tGZQz48rHML7i0n+nzRhquE3vOiSGA PWHv22G7hAifGs40ngnyx9YAPWd+0OsXktep1VnC+lqM4ixpMbjrvALcuXJ/3eGMWIZu GG+ovmkuSeESVggZECz4qsSQO8z/SzcXkN/uQDFBWxMsbDYuGtDrEgciI+wScgtxt/k6 OwAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779712926; x=1780317726; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C2mO9ihHPbnXM6c2+MtWPyD/ZxOr74sqrY+NK7spw+c=; b=PedsCBf1qMB4Iptjc9ilXzlPT1w/wxs2OgA4RI50rt8KDXXhMntCjM3V+DePa9Aewe WpcwebQ8MO5V1Ok6f2lBQ/xO4JfJ4/eOowLYsQrxRDNZmi2X62VooEYVShJxW8rDOZst zjoz03Lid1DZaB6Pghxmbtxc0Z6FbP51HU4maXl/v9AJhoEx+pgOUM4HifwSdthn0GHN lE7Xp2l91AEJ6ulXpGevAeP9L1pj+kRRvZkapGo30N/cQZCF9ZcNc0tcuxHHjBShQatr z593ppIBrSOFtyWk0fAD08O1obA/0aPdv1pwy9xfFjjVjYU4MOjHwqE3dWA6Xc7Xk6/a eyuw== X-Forwarded-Encrypted: i=1; AFNElJ8EUgtVAEZVlbyP+XBzKz6tuUvzrlhSFo/lLPUCo06qEm/6yN6CksiaD1WWFN+btUgbnq42YIEjnJTUVRc=@vger.kernel.org X-Gm-Message-State: AOJu0YyXwjXMWgM3QzKNCakiZsg5uDqUZVWJvVi6X6/5Od/FCCTVfo+H 9KVQ19Qm9t+Y/E3Kv7BUQaRNpVJfanuhNYwy5ky/KHN4UXKnMC8o/LWOeAKtA2S6l9/4P2u3Y/0 amh2iechw7ru8Trmi6j10GbvB51TwOW5aA2lWWRQ5is4Lcbbqrt53E4SkT4p5Q0mUMQ== X-Gm-Gg: Acq92OFMe2a+dGuJh9mtlzq6Cp0CxGcUUmXgJY1JnsRkGyZSTCVDc9jSmWr98LrjS7C PYWT2gwxIFXPNNNkx3rNnIv8kkNc1iueU1msZ+B+mGFVHUkQRL+Iw1xH5Ax63IFVAV6ZVDy+QfD SJH7tflKAwkm6+GTzQbBl9XW3O37a43pyTqnwDo22Q5ixqOX4H6e/5HmIeiATBv7eBN24FmVlUD wzBp324AYChj2Fn3FKw1tShHvZYKSk/Co40zeHrFIPX1iPYYcDiIVSHMw7HbaPsH/Tg/R7CztEz AkbqCwlIlCMVxKbDMnsSeZnSSDd6v6CjP7J3mfP3JIICeZW1YgdY8CeorAaJAaE3hHCCTlDQzQb hhJucoL8ckWEjF7JrjvJM1n2v/7O9Wpu+H67jw1k7Sk3PwjZmRkP1EA== X-Received: by 2002:a05:6000:4605:b0:43d:7bc9:9b2c with SMTP id ffacd0b85a97d-45eb3687941mr23325971f8f.17.1779712925852; Mon, 25 May 2026 05:42:05 -0700 (PDT) X-Received: by 2002:a05:6000:4605:b0:43d:7bc9:9b2c with SMTP id ffacd0b85a97d-45eb3687941mr23325918f8f.17.1779712925385; Mon, 25 May 2026 05:42:05 -0700 (PDT) Received: from redhat.com (IGLD-80-230-25-45.inter.net.il. [80.230.25.45]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45eb6d4850dsm25575281f8f.17.2026.05.25.05.42.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 05:42:04 -0700 (PDT) Date: Mon, 25 May 2026 08:42:01 -0400 From: "Michael S. Tsirkin" To: David Laight Cc: Stefano Garzarella , patchwork-bot+netdevbpf@kernel.org, netdev@vger.kernel.org, xuanzhuo@linux.alibaba.com, horms@kernel.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, kuba@kernel.org, eperezma@redhat.com, pabeni@redhat.com, davem@davemloft.net, jasowang@redhat.com, stefanha@redhat.com, edumazet@google.com, stable@vger.kernel.org Subject: Re: [PATCH net] vsock/virtio: fix skb overhead overflow on 32-bit builds Message-ID: <20260525083859-mutt-send-email-mst@kernel.org> References: <20260521124732.125771-1-sgarzare@redhat.com> <177950282964.1445071.6600517211632117224.git-patchwork-notify@kernel.org> <20260523173557.5cc4f4f6@pumpkin> <20260525115314.3cf310e6@pumpkin> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260525115314.3cf310e6@pumpkin> On Mon, May 25, 2026 at 11:53:14AM +0100, David Laight wrote: > On Mon, 25 May 2026 11:57:45 +0200 > Stefano Garzarella wrote: > > > On Sat, May 23, 2026 at 05:35:57PM +0100, David Laight wrote: > > >On Sat, 23 May 2026 02:20:29 +0000 > > >patchwork-bot+netdevbpf@kernel.org wrote: > > > > > >> Hello: > > >> > > >> This patch was applied to netdev/net.git (main) > > >> by Jakub Kicinski : > > > > > >Did anyone else notice that is isn't a bug? > > > > > >There is no way that a 'count of bytes of kernel memory' can overflow > > >the size of 'long'. > > > > It's more of an estimate than an actual calculation of memory usage if > > we queue the incoming packet. In theory, an overflow could occur if the > > user sets `buf_alloc` to 4GB. In practice, though, I think you're right: > > the memory should run out before we get to that check. > > The calculation is: > > u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); > > skb_queue_len() will be the number of items on the queue. > SKB_TRUESIZE(0) is the memory taken up by a zero length skb (basically sizeof(skb)). > > Unless you either corrupt the queue length or manage to allocate skb that use > less than the minimum about of memory that product can't overflow 'unsigned long'. > > The later calculations might wrap - but the multiply can't. > > -- David Indeed, I wasn't thinking. For this to even get close to overflowing we'd have to have almost all of 4G available to the 32 bit kernel taken up by this single queue. Revert, I'd say. > > > > Thanks, > > Stefano > > > > > > > >-- David > > > > > >> > > >> On Thu, 21 May 2026 14:47:32 +0200 you wrote: > > >> > From: Stefano Garzarella > > >> > > > >> > On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate > > >> > to 32-bit values. The multiplication can overflow before being assigned to > > >> > the u64 skb_overhead variable, making the skb overhead check ineffective. > > >> > > > >> > Cast skb_queue_len() to u64 so the multiplication is always performed in > > >> > 64-bit arithmetic. > > >> > > > >> > [...] > > >> > > >> Here is the summary with links: > > >> - [net] vsock/virtio: fix skb overhead overflow on 32-bit builds > > >> https://git.kernel.org/netdev/net/c/4157501b9a8f > > >> > > >> You are awesome, thank you! > > > > >