From: Melbin K Mathew <mlbnkm1@gmail.com>
To: stefanha@redhat.com, sgarzare@redhat.com
Cc: kvm@vger.kernel.org, netdev@vger.kernel.org,
virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com,
eperezma@redhat.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
Melbin K Mathew <mlbnkm1@gmail.com>
Subject: [PATCH net v4 0/4] vsock/virtio: fix TX credit handling
Date: Wed, 17 Dec 2025 19:12:02 +0100 [thread overview]
Message-ID: <20251217181206.3681159-1-mlbnkm1@gmail.com> (raw)
This series fixes TX credit handling in virtio-vsock:
Patch 1: Fix potential underflow in get_credit() using s64 arithmetic
Patch 2: Cap TX credit to local buffer size (security hardening)
Patch 3: Fix vsock_test seqpacket bounds test
Patch 4: Add stream TX credit bounds regression test
The core issue is that a malicious guest can advertise a huge buffer
size via SO_VM_SOCKETS_BUFFER_SIZE, causing the host to allocate
excessive sk_buff memory when sending data to that guest.
On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with
32 guest vsock connections advertising 2 GiB each and reading slowly
drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only
recovered after killing the QEMU process.
With this series applied, the same PoC shows only ~35 MiB increase in
Slab/SUnreclaim, no host OOM, and the guest remains responsive.
--
2.34.1
next reply other threads:[~2025-12-17 18:12 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-17 18:12 Melbin K Mathew [this message]
2025-12-17 18:12 ` [PATCH net v4 1/4] vsock/virtio: fix potential underflow in virtio_transport_get_credit() Melbin K Mathew
2025-12-18 9:19 ` Stefano Garzarella
2025-12-17 18:12 ` [PATCH net v4 2/4] vsock/virtio: cap TX credit to local buffer size Melbin K Mathew
2025-12-18 9:24 ` Stefano Garzarella
2025-12-27 16:00 ` Paolo Abeni
2025-12-17 18:12 ` [PATCH net v4 3/4] vsock/test: fix seqpacket message bounds test Melbin K Mathew
2025-12-18 9:14 ` Stefano Garzarella
2025-12-17 18:12 ` [PATCH net v4 4/4] vsock/test: add stream TX credit " Melbin K Mathew
2025-12-18 9:45 ` Stefano Garzarella
2025-12-18 9:18 ` [PATCH net v4 0/4] vsock/virtio: fix TX credit handling Stefano Garzarella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251217181206.3681159-1-mlbnkm1@gmail.com \
--to=mlbnkm1@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eperezma@redhat.com \
--cc=horms@kernel.org \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).