* [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
@ 2026-05-25 11:15 malin (R)
2026-05-25 11:25 ` Arseniy Krasnov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: malin (R) @ 2026-05-25 11:15 UTC (permalink / raw)
To: Arseniy Krasnov, tanjingguo, mst@redhat.com, jasowang@redhat.com,
xuanzhuo@linux.alibaba.com, eperezma@redhat.com,
stefanha@redhat.com, sgarzare@redhat.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org
Cc: Chenzhe, cenxianlong, cuirongzhen, virtualization@lists.linux.dev,
kvm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, tanjingguo
From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001
From: Jingguo Tan <tanjingguo@huawei.com>
Date: Fri, 22 May 2026 19:53:45 +0800
Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
before entering the send loop, but virtio_transport_alloc_skb() still
fills the skb before it inherits that uarg. When fixed-buffer vectored
zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
managed frags and return -EMSGSIZE. The rollback path calls kfree_skb()
to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
skb_release_data() falls through to ordinary frag unref.
Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
before virtio_transport_fill_skb(). This keeps control or no-payload skbs
untouched while ensuring success and rollback share one lifetime rule.
Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
---
net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index df3b418e0392..73f58925ff72 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -205,6 +205,7 @@ static u16 virtio_transport_get_type(struct sock *sk)
static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *info,
size_t payload_len,
bool zcopy,
+ struct ubuf_info *uarg,
u32 src_cid,
u32 src_port,
u32 dst_cid,
@@ -245,6 +246,11 @@ static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *
if (info->msg && payload_len > 0) {
int err;
+ /* Bind the zerocopy lifetime before filling frags so error rollback
+ * frees managed fixed-buffer pages through the uarg-aware path.
+ */
+ skb_zcopy_set(skb, uarg, NULL);
+
err = virtio_transport_fill_skb(skb, info, payload_len, zcopy);
if (err)
goto out;
@@ -364,6 +370,7 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
skb_len = min(max_skb_len, rest_len);
skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy,
+ uarg,
src_cid, src_port,
dst_cid, dst_port);
if (!skb) {
@@ -371,8 +378,6 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
break;
}
- skb_zcopy_set(skb, uarg, NULL);
-
virtio_transport_inc_tx_pkt(vvs, skb);
ret = t_ops->send_pkt(skb, info->net);
@@ -1183,7 +1188,7 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
if (!t)
return -ENOTCONN;
- reply = virtio_transport_alloc_skb(&info, 0, false,
+ reply = virtio_transport_alloc_skb(&info, 0, false, NULL,
le64_to_cpu(hdr->dst_cid),
le32_to_cpu(hdr->dst_port),
le64_to_cpu(hdr->src_cid),
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
2026-05-25 11:15 [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb malin (R)
@ 2026-05-25 11:25 ` Arseniy Krasnov
2026-05-25 11:25 ` Michael S. Tsirkin
2026-05-25 12:48 ` Stefano Garzarella
2 siblings, 0 replies; 4+ messages in thread
From: Arseniy Krasnov @ 2026-05-25 11:25 UTC (permalink / raw)
To: malin (R), tanjingguo, mst@redhat.com, jasowang@redhat.com,
xuanzhuo@linux.alibaba.com, eperezma@redhat.com,
stefanha@redhat.com, sgarzare@redhat.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org
Cc: Chenzhe, cenxianlong, cuirongzhen, virtualization@lists.linux.dev,
kvm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
On 25/05/2026 14:15, malin (R) wrote:
> From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001
> From: Jingguo Tan <tanjingguo@huawei.com>
> Date: Fri, 22 May 2026 19:53:45 +0800
> Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
>
> virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
> before entering the send loop, but virtio_transport_alloc_skb() still
> fills the skb before it inherits that uarg. When fixed-buffer vectored
> zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
> managed frags and return -EMSGSIZE. The rollback path calls kfree_skb()
> to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
> skb_release_data() falls through to ordinary frag unref.
>
> Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
> before virtio_transport_fill_skb(). This keeps control or no-payload skbs
> untouched while ensuring success and rollback share one lifetime rule.
>
> Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
> Signed-off-by: Lin Ma <malin89@huawei.com>
> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Acked-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
> ---
>
> net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
> index df3b418e0392..73f58925ff72 100644
> --- a/net/vmw_vsock/virtio_transport_common.c
> +++ b/net/vmw_vsock/virtio_transport_common.c
> @@ -205,6 +205,7 @@ static u16 virtio_transport_get_type(struct sock *sk)
> static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *info,
> size_t payload_len,
> bool zcopy,
> + struct ubuf_info *uarg,
> u32 src_cid,
> u32 src_port,
> u32 dst_cid,
> @@ -245,6 +246,11 @@ static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *
> if (info->msg && payload_len > 0) {
> int err;
>
> + /* Bind the zerocopy lifetime before filling frags so error rollback
> + * frees managed fixed-buffer pages through the uarg-aware path.
> + */
> + skb_zcopy_set(skb, uarg, NULL);
> +
> err = virtio_transport_fill_skb(skb, info, payload_len, zcopy);
> if (err)
> goto out;
> @@ -364,6 +370,7 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
> skb_len = min(max_skb_len, rest_len);
>
> skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy,
> + uarg,
> src_cid, src_port,
> dst_cid, dst_port);
> if (!skb) {
> @@ -371,8 +378,6 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
> break;
> }
>
> - skb_zcopy_set(skb, uarg, NULL);
> -
> virtio_transport_inc_tx_pkt(vvs, skb);
>
> ret = t_ops->send_pkt(skb, info->net);
> @@ -1183,7 +1188,7 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
> if (!t)
> return -ENOTCONN;
>
> - reply = virtio_transport_alloc_skb(&info, 0, false,
> + reply = virtio_transport_alloc_skb(&info, 0, false, NULL,
> le64_to_cpu(hdr->dst_cid),
> le32_to_cpu(hdr->dst_port),
> le64_to_cpu(hdr->src_cid),
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
2026-05-25 11:15 [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb malin (R)
2026-05-25 11:25 ` Arseniy Krasnov
@ 2026-05-25 11:25 ` Michael S. Tsirkin
2026-05-25 12:48 ` Stefano Garzarella
2 siblings, 0 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2026-05-25 11:25 UTC (permalink / raw)
To: malin (R)
Cc: Arseniy Krasnov, tanjingguo, jasowang@redhat.com,
xuanzhuo@linux.alibaba.com, eperezma@redhat.com,
stefanha@redhat.com, sgarzare@redhat.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, Chenzhe, cenxianlong, cuirongzhen,
virtualization@lists.linux.dev, kvm@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
On Mon, May 25, 2026 at 11:15:12AM +0000, malin (R) wrote:
> >From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001
> From: Jingguo Tan <tanjingguo@huawei.com>
> Date: Fri, 22 May 2026 19:53:45 +0800
> Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
>
> virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
> before entering the send loop, but virtio_transport_alloc_skb() still
> fills the skb before it inherits that uarg. When fixed-buffer vectored
> zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
> managed frags and return -EMSGSIZE. The rollback path calls kfree_skb()
> to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
> skb_release_data() falls through to ordinary frag unref.
>
> Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
> before virtio_transport_fill_skb(). This keeps control or no-payload skbs
> untouched while ensuring success and rollback share one lifetime rule.
>
> Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
> Signed-off-by: Lin Ma <malin89@huawei.com>
> Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
> Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
> index df3b418e0392..73f58925ff72 100644
> --- a/net/vmw_vsock/virtio_transport_common.c
> +++ b/net/vmw_vsock/virtio_transport_common.c
> @@ -205,6 +205,7 @@ static u16 virtio_transport_get_type(struct sock *sk)
> static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *info,
> size_t payload_len,
> bool zcopy,
> + struct ubuf_info *uarg,
> u32 src_cid,
> u32 src_port,
> u32 dst_cid,
> @@ -245,6 +246,11 @@ static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *
> if (info->msg && payload_len > 0) {
> int err;
>
> + /* Bind the zerocopy lifetime before filling frags so error rollback
> + * frees managed fixed-buffer pages through the uarg-aware path.
> + */
> + skb_zcopy_set(skb, uarg, NULL);
> +
> err = virtio_transport_fill_skb(skb, info, payload_len, zcopy);
> if (err)
> goto out;
> @@ -364,6 +370,7 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
> skb_len = min(max_skb_len, rest_len);
>
> skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy,
> + uarg,
> src_cid, src_port,
> dst_cid, dst_port);
> if (!skb) {
> @@ -371,8 +378,6 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
> break;
> }
>
> - skb_zcopy_set(skb, uarg, NULL);
> -
> virtio_transport_inc_tx_pkt(vvs, skb);
>
> ret = t_ops->send_pkt(skb, info->net);
> @@ -1183,7 +1188,7 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
> if (!t)
> return -ENOTCONN;
>
> - reply = virtio_transport_alloc_skb(&info, 0, false,
> + reply = virtio_transport_alloc_skb(&info, 0, false, NULL,
> le64_to_cpu(hdr->dst_cid),
> le32_to_cpu(hdr->dst_port),
> le64_to_cpu(hdr->src_cid),
> --
> 2.53.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
2026-05-25 11:15 [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb malin (R)
2026-05-25 11:25 ` Arseniy Krasnov
2026-05-25 11:25 ` Michael S. Tsirkin
@ 2026-05-25 12:48 ` Stefano Garzarella
2 siblings, 0 replies; 4+ messages in thread
From: Stefano Garzarella @ 2026-05-25 12:48 UTC (permalink / raw)
To: malin (R)
Cc: Arseniy Krasnov, tanjingguo, mst@redhat.com, jasowang@redhat.com,
xuanzhuo@linux.alibaba.com, eperezma@redhat.com,
stefanha@redhat.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, Chenzhe,
cenxianlong, cuirongzhen, virtualization@lists.linux.dev,
kvm@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
On Mon, May 25, 2026 at 11:15:12AM +0000, malin (R) wrote:
>From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001
>From: Jingguo Tan <tanjingguo@huawei.com>
>Date: Fri, 22 May 2026 19:53:45 +0800
>Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
>
>virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
>before entering the send loop, but virtio_transport_alloc_skb() still
>fills the skb before it inherits that uarg. When fixed-buffer vectored
>zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
>managed frags and return -EMSGSIZE. The rollback path calls kfree_skb()
>to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
>skb_release_data() falls through to ordinary frag unref.
>
>Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
>before virtio_transport_fill_skb(). This keeps control or no-payload skbs
>untouched while ensuring success and rollback share one lifetime rule.
>
>Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
>Signed-off-by: Lin Ma <malin89@huawei.com>
>Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
>Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
>---
>
> net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-25 12:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-25 11:15 [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb malin (R)
2026-05-25 11:25 ` Arseniy Krasnov
2026-05-25 11:25 ` Michael S. Tsirkin
2026-05-25 12:48 ` Stefano Garzarella
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox