[PATCH 0/2] Fix vsock error-handling regression introduced in v6.17-rc1

[PATCH 0/2] Fix vsock error-handling regression introduced in v6.17-rc1

[Will Deacon]

Hi all,

Here are a couple of patches fixing the vsock error-handling regression
found by syzbot [1] that I introduced during the recent merge window.

Cheers,

Will

[1] https://lore.kernel.org/all/689a3d92.050a0220.7f033.00ff.GAE@google.com/

Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>

--->8

Will Deacon (2):
  net: Introduce skb_copy_datagram_from_iter_full()
  vsock/virtio: Fix message iterator handling on transmit path

 include/linux/skbuff.h                  |  2 ++
 net/core/datagram.c                     | 14 ++++++++++++++
 net/vmw_vsock/virtio_transport_common.c |  8 +++++---
 3 files changed, 21 insertions(+), 3 deletions(-)

-- 
2.51.0.rc1.167.g924127e9c0-goog

[PATCH 1/2] net: Introduce skb_copy_datagram_from_iter_full()

[Will Deacon]

In a similar manner to copy_from_iter()/copy_from_iter_full(), introduce
skb_copy_datagram_from_iter_full() which reverts the iterator to its
initial state when returning an error.

A subsequent fix for a vsock regression will make use of this new
function.

Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will@kernel.org>
---
 include/linux/skbuff.h |  2 ++
 net/core/datagram.c    | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 14b923ddb6df..fa633657e4c0 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4172,6 +4172,8 @@ int skb_copy_and_crc32c_datagram_iter(const struct sk_buff *skb, int offset,
 				      struct iov_iter *to, int len, u32 *crcp);
 int skb_copy_datagram_from_iter(struct sk_buff *skb, int offset,
 				 struct iov_iter *from, int len);
+int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
+				     struct iov_iter *from, int len);
 int zerocopy_sg_from_iter(struct sk_buff *skb, struct iov_iter *frm);
 void skb_free_datagram(struct sock *sk, struct sk_buff *skb);
 int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags);
diff --git a/net/core/datagram.c b/net/core/datagram.c
index 94cc4705e91d..f474b9b120f9 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -618,6 +618,20 @@ int skb_copy_datagram_from_iter(struct sk_buff *skb, int offset,
 }
 EXPORT_SYMBOL(skb_copy_datagram_from_iter);
 
+int skb_copy_datagram_from_iter_full(struct sk_buff *skb, int offset,
+				     struct iov_iter *from, int len)
+{
+	struct iov_iter_state state;
+	int ret;
+
+	iov_iter_save_state(from, &state);
+	ret = skb_copy_datagram_from_iter(skb, offset, from, len);
+	if (ret)
+		iov_iter_restore(from, &state);
+	return ret;
+}
+EXPORT_SYMBOL(skb_copy_datagram_from_iter_full);
+
 int zerocopy_fill_skb_from_iter(struct sk_buff *skb,
 				struct iov_iter *from, size_t length)
 {
-- 
2.51.0.rc1.167.g924127e9c0-goog

[PATCH 2/2] vsock/virtio: Fix message iterator handling on transmit path

[Will Deacon]

Commit 6693731487a8 ("vsock/virtio: Allocate nonlinear SKBs for handling
large transmit buffers") converted the virtio vsock transmit path to
utilise nonlinear SKBs when handling large buffers. As part of this
change, virtio_transport_fill_skb() was updated to call
skb_copy_datagram_from_iter() instead of memcpy_from_msg() as the latter
expects a single destination buffer and cannot handle nonlinear SKBs
correctly.

Unfortunately, during this conversion, I overlooked the error case when
the copying function returns -EFAULT due to a fault on the input buffer
in userspace. In this case, memcpy_from_msg() reverts the iterator to
its initial state thanks to copy_from_iter_full() whereas
skb_copy_datagram_from_iter() leaves the iterator partially advanced.
This results in a WARN_ONCE() from the vsock code, which expects the
iterator to stay in sync with the number of bytes transmitted so that
virtio_transport_send_pkt_info() can return -EFAULT when it is called
again:

  ------------[ cut here ]------------
  'send_pkt()' returns 0, but 65536 expected
  WARNING: CPU: 0 PID: 5503 at net/vmw_vsock/virtio_transport_common.c:428 virtio_transport_send_pkt_info+0xd11/0xf00 net/vmw_vsock/virtio_transport_common.c:426
  Modules linked in:
  CPU: 0 UID: 0 PID: 5503 Comm: syz.0.17 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call virtio_transport_fill_skb_full() to restore the previous iterator
behaviour.

Cc: Hillf Danton <hdanton@sina.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Reported-by: syzbot+b4d960daf7a3c7c2b7b1@syzkaller.appspotmail.com
Signed-off-by: Will Deacon <will@kernel.org>
---
 net/vmw_vsock/virtio_transport_common.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index fe92e5fa95b4..dcc8a1d5851e 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -105,12 +105,14 @@ static int virtio_transport_fill_skb(struct sk_buff *skb,
 				     size_t len,
 				     bool zcopy)
 {
+	struct msghdr *msg = info->msg;
+
 	if (zcopy)
-		return __zerocopy_sg_from_iter(info->msg, NULL, skb,
-					       &info->msg->msg_iter, len, NULL);
+		return __zerocopy_sg_from_iter(msg, NULL, skb,
+					       &msg->msg_iter, len, NULL);
 
 	virtio_vsock_skb_put(skb, len);
-	return skb_copy_datagram_from_iter(skb, 0, &info->msg->msg_iter, len);
+	return skb_copy_datagram_from_iter_full(skb, 0, &msg->msg_iter, len);
 }
 
 static void virtio_transport_init_hdr(struct sk_buff *skb,
-- 
2.51.0.rc1.167.g924127e9c0-goog

Re: [PATCH 0/2] Fix vsock error-handling regression introduced in v6.17-rc1

[Michael S. Tsirkin]

On Mon, Aug 18, 2025 at 07:03:53PM +0100, Will Deacon wrote:
> Hi all,
> 
> Here are a couple of patches fixing the vsock error-handling regression
> found by syzbot [1] that I introduced during the recent merge window.
> 
> Cheers,
> 
> Will
> 
> [1] https://lore.kernel.org/all/689a3d92.050a0220.7f033.00ff.GAE@google.com/

Acked-by: Michael S. Tsirkin <mst@redhat.com>





> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Hillf Danton <hdanton@sina.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Jason Wang <jasowang@redhat.com>
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Stefano Garzarella <sgarzare@redhat.com>
> 
> --->8
> 
> Will Deacon (2):
>   net: Introduce skb_copy_datagram_from_iter_full()
>   vsock/virtio: Fix message iterator handling on transmit path
> 
>  include/linux/skbuff.h                  |  2 ++
>  net/core/datagram.c                     | 14 ++++++++++++++
>  net/vmw_vsock/virtio_transport_common.c |  8 +++++---
>  3 files changed, 21 insertions(+), 3 deletions(-)
> 
> -- 
> 2.51.0.rc1.167.g924127e9c0-goog

Re: [PATCH 0/2] Fix vsock error-handling regression introduced in v6.17-rc1

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 1471 bytes --]

On Mon, Aug 18, 2025 at 07:03:53PM +0100, Will Deacon wrote:
> Hi all,
> 
> Here are a couple of patches fixing the vsock error-handling regression
> found by syzbot [1] that I introduced during the recent merge window.
> 
> Cheers,
> 
> Will
> 
> [1] https://lore.kernel.org/all/689a3d92.050a0220.7f033.00ff.GAE@google.com/
> 
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Christian Brauner <brauner@kernel.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Hillf Danton <hdanton@sina.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Jason Wang <jasowang@redhat.com>
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Stefano Garzarella <sgarzare@redhat.com>
> 
> --->8
> 
> Will Deacon (2):
>   net: Introduce skb_copy_datagram_from_iter_full()
>   vsock/virtio: Fix message iterator handling on transmit path
> 
>  include/linux/skbuff.h                  |  2 ++
>  net/core/datagram.c                     | 14 ++++++++++++++
>  net/vmw_vsock/virtio_transport_common.c |  8 +++++---
>  3 files changed, 21 insertions(+), 3 deletions(-)
> 
> -- 
> 2.51.0.rc1.167.g924127e9c0-goog
> 

Stefano Garzarella is offline at the moment and may not get a chance to
review this for another week. In the meantime I have reviewed this patch
series:

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 0/2] Fix vsock error-handling regression introduced in v6.17-rc1

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 18 Aug 2025 19:03:53 +0100 you wrote:
> Hi all,
> 
> Here are a couple of patches fixing the vsock error-handling regression
> found by syzbot [1] that I introduced during the recent merge window.
> 
> Cheers,
> 
> [...]

Here is the summary with links:
  - [1/2] net: Introduce skb_copy_datagram_from_iter_full()
    https://git.kernel.org/netdev/net/c/b08a784a5d14
  - [2/2] vsock/virtio: Fix message iterator handling on transmit path
    https://git.kernel.org/netdev/net/c/7fb1291257ea

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html