* [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
@ 2026-04-13 8:52 Dudu Lu
2026-04-13 10:30 ` Stefano Garzarella
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dudu Lu @ 2026-04-13 8:52 UTC (permalink / raw)
To: netdev; +Cc: stefanha, sgarzare, mst, jasowang, Dudu Lu
virtio_transport_recv_listen() calls sk_acceptq_added(sk) to increment
the listener's accept queue counter before calling
vsock_assign_transport(). When vsock_assign_transport() fails or selects
a different transport than the one that received the packet, the error
path returns without calling sk_acceptq_removed(sk), permanently
incrementing sk_ack_backlog.
A malicious VM peer can exploit this by sending repeated CONNECT
requests that trigger the transport mismatch condition. Each such
request permanently increments sk_ack_backlog. After approximately
backlog+1 such requests (default backlog ~128), sk_acceptq_is_full()
returns true, causing the listener to reject ALL new connections with
-ENOMEM. The only recovery is closing and re-creating the listener
socket.
Compare with vmci_transport.c and hyperv_transport.c which correctly
place sk_acceptq_added() AFTER the transport check, avoiding this
issue entirely.
Fix by moving sk_acceptq_added(sk) to after the transport validation
check, matching the pattern used by the other transports.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
net/vmw_vsock/virtio_transport_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 8a9fb23c6e85..29e1d9833be4 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1,3 +1,4 @@
+ sk_acceptq_added(sk);
// SPDX-License-Identifier: GPL-2.0-only
/*
* common code for virtio vsock
@@ -1560,8 +1561,9 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb,
return -ENOMEM;
}
- sk_acceptq_added(sk);
+
+ sk_acceptq_added(sk);
lock_sock_nested(child, SINGLE_DEPTH_NESTING);
child->sk_state = TCP_ESTABLISHED;
--
2.39.3 (Apple Git-145)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
2026-04-13 8:52 [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen Dudu Lu
@ 2026-04-13 10:30 ` Stefano Garzarella
2026-04-14 23:40 ` kernel test robot
2026-04-15 0:04 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: Stefano Garzarella @ 2026-04-13 10:30 UTC (permalink / raw)
To: Dudu Lu; +Cc: netdev, stefanha, mst, jasowang
On Mon, Apr 13, 2026 at 04:52:43PM +0800, Dudu Lu wrote:
>virtio_transport_recv_listen() calls sk_acceptq_added(sk) to increment
>the listener's accept queue counter before calling
>vsock_assign_transport(). When vsock_assign_transport() fails or selects
>a different transport than the one that received the packet, the error
>path returns without calling sk_acceptq_removed(sk), permanently
>incrementing sk_ack_backlog.
>
>A malicious VM peer can exploit this by sending repeated CONNECT
>requests that trigger the transport mismatch condition. Each such
>request permanently increments sk_ack_backlog. After approximately
>backlog+1 such requests (default backlog ~128), sk_acceptq_is_full()
>returns true, causing the listener to reject ALL new connections with
>-ENOMEM. The only recovery is closing and re-creating the listener
>socket.
>
>Compare with vmci_transport.c and hyperv_transport.c which correctly
>place sk_acceptq_added() AFTER the transport check, avoiding this
>issue entirely.
>
>Fix by moving sk_acceptq_added(sk) to after the transport validation
>check, matching the pattern used by the other transports.
The issue seems legitimate, but this patch doesn't do what you're
describing here.
Out of curiosity, how did you generate it?
Stefano
>
>Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
>Signed-off-by: Dudu Lu <phx0fer@gmail.com>
>---
> net/vmw_vsock/virtio_transport_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
>index 8a9fb23c6e85..29e1d9833be4 100644
>--- a/net/vmw_vsock/virtio_transport_common.c
>+++ b/net/vmw_vsock/virtio_transport_common.c
>@@ -1,3 +1,4 @@
>+ sk_acceptq_added(sk);
> // SPDX-License-Identifier: GPL-2.0-only
> /*
> * common code for virtio vsock
>@@ -1560,8 +1561,9 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb,
> return -ENOMEM;
> }
>
>- sk_acceptq_added(sk);
>
>+
>+ sk_acceptq_added(sk);
> lock_sock_nested(child, SINGLE_DEPTH_NESTING);
>
> child->sk_state = TCP_ESTABLISHED;
>--
>2.39.3 (Apple Git-145)
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
2026-04-13 8:52 [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen Dudu Lu
2026-04-13 10:30 ` Stefano Garzarella
@ 2026-04-14 23:40 ` kernel test robot
2026-04-15 0:04 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-04-14 23:40 UTC (permalink / raw)
To: Dudu Lu, netdev; +Cc: oe-kbuild-all, stefanha, sgarzare, mst, jasowang, Dudu Lu
Hi Dudu,
kernel test robot noticed the following build errors:
[auto build test ERROR on mst-vhost/linux-next]
[also build test ERROR on net/main net-next/main linus/master horms-ipvs/master v7.0 next-20260414]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dudu-Lu/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch-in-recv_listen/20260414-233232
base: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git linux-next
patch link: https://lore.kernel.org/r/20260413085243.73200-1-phx0fer%40gmail.com
patch subject: [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
config: sparc-randconfig-001-20260415 (https://download.01.org/0day-ci/archive/20260415/202604150747.6LyaJckM-lkp@intel.com/config)
compiler: sparc64-linux-gcc (GCC) 8.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260415/202604150747.6LyaJckM-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604150747.6LyaJckM-lkp@intel.com/
All errors (new ones prefixed by >>):
net/vmw_vsock/virtio_transport_common.c:1:2: warning: data definition has no type or storage class
sk_acceptq_added(sk);
^~~~~~~~~~~~~~~~
net/vmw_vsock/virtio_transport_common.c:1:2: error: type defaults to 'int' in declaration of 'sk_acceptq_added' [-Werror=implicit-int]
net/vmw_vsock/virtio_transport_common.c:1:2: warning: parameter names (without types) in function declaration
In file included from include/linux/virtio_vsock.h:7,
from net/vmw_vsock/virtio_transport_common.c:15:
>> include/net/sock.h:1080:20: error: conflicting types for 'sk_acceptq_added'
static inline void sk_acceptq_added(struct sock *sk)
^~~~~~~~~~~~~~~~
net/vmw_vsock/virtio_transport_common.c:1:2: note: previous declaration of 'sk_acceptq_added' was here
sk_acceptq_added(sk);
^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/sk_acceptq_added +1080 include/net/sock.h
^1da177e4c3f415 Linus Torvalds 2005-04-16 1079
^1da177e4c3f415 Linus Torvalds 2005-04-16 @1080 static inline void sk_acceptq_added(struct sock *sk)
^1da177e4c3f415 Linus Torvalds 2005-04-16 1081 {
288efe8606b62d0 Eric Dumazet 2019-11-05 1082 WRITE_ONCE(sk->sk_ack_backlog, sk->sk_ack_backlog + 1);
^1da177e4c3f415 Linus Torvalds 2005-04-16 1083 }
^1da177e4c3f415 Linus Torvalds 2005-04-16 1084
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
2026-04-13 8:52 [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen Dudu Lu
2026-04-13 10:30 ` Stefano Garzarella
2026-04-14 23:40 ` kernel test robot
@ 2026-04-15 0:04 ` kernel test robot
2 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-04-15 0:04 UTC (permalink / raw)
To: Dudu Lu, netdev; +Cc: oe-kbuild-all, stefanha, sgarzare, mst, jasowang, Dudu Lu
Hi Dudu,
kernel test robot noticed the following build errors:
[auto build test ERROR on mst-vhost/linux-next]
[also build test ERROR on net/main net-next/main linus/master horms-ipvs/master v7.0 next-20260414]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dudu-Lu/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch-in-recv_listen/20260414-233232
base: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git linux-next
patch link: https://lore.kernel.org/r/20260413085243.73200-1-phx0fer%40gmail.com
patch subject: [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen
config: arc-randconfig-001-20260415 (https://download.01.org/0day-ci/archive/20260415/202604150741.iQBI3cGE-lkp@intel.com/config)
compiler: arc-linux-gcc (GCC) 13.4.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260415/202604150741.iQBI3cGE-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604150741.iQBI3cGE-lkp@intel.com/
All error/warnings (new ones prefixed by >>):
>> net/vmw_vsock/virtio_transport_common.c:1:9: warning: data definition has no type or storage class
1 | sk_acceptq_added(sk);
| ^~~~~~~~~~~~~~~~
>> net/vmw_vsock/virtio_transport_common.c:1:9: error: type defaults to 'int' in declaration of 'sk_acceptq_added' [-Werror=implicit-int]
>> net/vmw_vsock/virtio_transport_common.c:1:9: warning: parameter names (without types) in function declaration
In file included from include/linux/virtio_vsock.h:7,
from net/vmw_vsock/virtio_transport_common.c:15:
>> include/net/sock.h:1080:20: error: conflicting types for 'sk_acceptq_added'; have 'void(struct sock *)'
1080 | static inline void sk_acceptq_added(struct sock *sk)
| ^~~~~~~~~~~~~~~~
net/vmw_vsock/virtio_transport_common.c:1:9: note: previous declaration of 'sk_acceptq_added' with type 'int()'
1 | sk_acceptq_added(sk);
| ^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +1 net/vmw_vsock/virtio_transport_common.c
> 1 sk_acceptq_added(sk);
2 // SPDX-License-Identifier: GPL-2.0-only
3 /*
4 * common code for virtio vsock
5 *
6 * Copyright (C) 2013-2015 Red Hat, Inc.
7 * Author: Asias He <asias@redhat.com>
8 * Stefan Hajnoczi <stefanha@redhat.com>
9 */
10 #include <linux/spinlock.h>
11 #include <linux/module.h>
12 #include <linux/sched/signal.h>
13 #include <linux/ctype.h>
14 #include <linux/list.h>
15 #include <linux/virtio_vsock.h>
16 #include <uapi/linux/vsockmon.h>
17
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-15 0:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 8:52 [PATCH] vsock/virtio: fix accept queue count leak on transport mismatch in recv_listen Dudu Lu
2026-04-13 10:30 ` Stefano Garzarella
2026-04-14 23:40 ` kernel test robot
2026-04-15 0:04 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox