[PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake

Netdev List
 help / color / mirror / Atom feed

* [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake
@ 2026-05-26 10:43 Raf Dickson
  2026-06-01  9:25 ` Paolo Abeni
  0 siblings, 1 reply; 3+ messages in thread
From: Raf Dickson @ 2026-05-26 10:43 UTC (permalink / raw)
  To: netdev, virtualization, linux-kernel
  Cc: sgarzare, stefanha, bryan-bt.tan, vishnu.dasa,
	bcm-kernel-feedback-list, stable, Raf Dickson

When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.

Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.

The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().

Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Raf Dickson <rafdog35@gmail.com>
---
 net/vmw_vsock/vmci_transport.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index d2579380f5..88ccc55455 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(struct sock *sk,
 			err = -EINVAL;
 		}

-		if (err < 0)
+		if (err < 0) {
 			vsock_remove_pending(sk, pending);
+			sk_acceptq_removed(sk);
+		}

 		release_sock(pending);
 		vmci_transport_release_pending(pending);
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake
  2026-05-26 10:43 [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake Raf Dickson
@ 2026-06-01  9:25 ` Paolo Abeni
  2026-06-01  9:56   ` Raf Dickson
  0 siblings, 1 reply; 3+ messages in thread
From: Paolo Abeni @ 2026-06-01  9:25 UTC (permalink / raw)
  To: Raf Dickson, netdev, virtualization, linux-kernel
  Cc: sgarzare, stefanha, bryan-bt.tan, vishnu.dasa,
	bcm-kernel-feedback-list, stable

On 5/26/26 12:43 PM, Raf Dickson wrote:
> When vmci_transport_recv_connecting_server() returns an error,
> vmci_transport_recv_listen() calls vsock_remove_pending() but never
> calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
> permanently.
> 
> Repeated handshake failures (malformed packets, queue pair alloc
> failure, event subscribe failure) cause sk_ack_backlog to climb
> toward sk_max_ack_backlog. Once it reaches the limit the listener
> permanently refuses all new connections with -ECONNREFUSED, a
> silent denial of service requiring a process restart to recover.
> 
> The two existing sk_acceptq_removed() calls in af_vsock.c do not
> cover this path: line 764 checks vsock_is_pending() which returns
> false after vsock_remove_pending(), and line 1889 is only reached
> on successful accept().
> 
> Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
> the error path.
> 
> Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
> Cc: stable@vger.kernel.org
> Signed-off-by: Raf Dickson <rafdog35@gmail.com>

Waiting for Stefano's feedback - should be back in a couple of days.

> ---
>  net/vmw_vsock/vmci_transport.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index d2579380f5..88ccc55455 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(struct sock *sk,
>  			err = -EINVAL;
>  		}
>  
> -		if (err < 0)
> +		if (err < 0) {
>  			vsock_remove_pending(sk, pending);
> +			sk_acceptq_removed(sk);

I'm wondering if sk_acceptq_removed() should be bounded in
vsock_remove_pending() ? (even if that change would probably be net-next
material).

/P



> +		}
>  
>  		release_sock(pending);
>  		vmci_transport_release_pending(pending);


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake
  2026-06-01  9:25 ` Paolo Abeni
@ 2026-06-01  9:56   ` Raf Dickson
  0 siblings, 0 replies; 3+ messages in thread
From: Raf Dickson @ 2026-06-01  9:56 UTC (permalink / raw)
  To: pabeni
  Cc: sgarzare, netdev, virtualization, linux-kernel, stefanha,
	bryan-bt.tan, vishnu.dasa, bcm-kernel-feedback-list, stable

On Mon, Jun 1, 2026 at 9:26 AM Paolo Abeni wrote:
> I'm wondering if sk_acceptq_removed() should be bounded in
> vsock_remove_pending() ? (even if that change would probably be
> net-next material).

Agreed, that would prevent this class of bug entirely. Happy to prepare
a follow-up patch for net-next once this fix lands, if that would be
useful.

Raf

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-01  9:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 10:43 [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake Raf Dickson
2026-06-01  9:25 ` Paolo Abeni
2026-06-01  9:56   ` Raf Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox