From: Stefano Garzarella <sgarzare@redhat.com>
To: Michal Luczaj <mhal@rbox.co>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
"Eugenio Pérez" <eperezma@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Simon Horman" <horms@kernel.org>,
"Arseniy Krasnov" <avkrasnov@salutedevices.com>,
kvm@vger.kernel.org, virtualization@lists.linux.dev,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v2 2/2] vsock/test: Add test for a linear and non-linear skb getting coalesced
Date: Wed, 14 Jan 2026 11:07:53 +0100 [thread overview]
Message-ID: <aWdq75AQZv50CMPQ@sgarzare-redhat> (raw)
In-Reply-To: <20260113-vsock-recv-coalescence-v2-2-552b17837cf4@rbox.co>
On Tue, Jan 13, 2026 at 04:08:19PM +0100, Michal Luczaj wrote:
>Loopback transport can mangle data in rx queue when a linear skb is
>followed by a small MSG_ZEROCOPY packet.
>
>To exercise the logic, send out two packets: a weirdly sized one (to ensure
>some spare tail room in the skb) and a zerocopy one that's small enough to
>fit in the spare room of its predecessor. Then, wait for both to land in
>the rx queue, and check the data received. Faulty packets merger manifests
>itself by corrupting payload of the later packet.
>
>Signed-off-by: Michal Luczaj <mhal@rbox.co>
>---
> tools/testing/vsock/vsock_test.c | 5 +++
> tools/testing/vsock/vsock_test_zerocopy.c | 74 +++++++++++++++++++++++++++++++
> tools/testing/vsock/vsock_test_zerocopy.h | 3 ++
> 3 files changed, 82 insertions(+)
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
>
>diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
>index bbe3723babdc..27e39354499a 100644
>--- a/tools/testing/vsock/vsock_test.c
>+++ b/tools/testing/vsock/vsock_test.c
>@@ -2403,6 +2403,11 @@ static struct test_case test_cases[] = {
> .run_client = test_stream_accepted_setsockopt_client,
> .run_server = test_stream_accepted_setsockopt_server,
> },
>+ {
>+ .name = "SOCK_STREAM virtio MSG_ZEROCOPY coalescence corruption",
>+ .run_client = test_stream_msgzcopy_mangle_client,
>+ .run_server = test_stream_msgzcopy_mangle_server,
>+ },
> {},
> };
>
>diff --git a/tools/testing/vsock/vsock_test_zerocopy.c b/tools/testing/vsock/vsock_test_zerocopy.c
>index 9d9a6cb9614a..a31ddfc1cd0c 100644
>--- a/tools/testing/vsock/vsock_test_zerocopy.c
>+++ b/tools/testing/vsock/vsock_test_zerocopy.c
>@@ -9,14 +9,18 @@
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>+#include <sys/ioctl.h>
> #include <sys/mman.h>
> #include <unistd.h>
> #include <poll.h>
> #include <linux/errqueue.h>
> #include <linux/kernel.h>
>+#include <linux/sockios.h>
>+#include <linux/time64.h>
> #include <errno.h>
>
> #include "control.h"
>+#include "timeout.h"
> #include "vsock_test_zerocopy.h"
> #include "msg_zerocopy_common.h"
>
>@@ -356,3 +360,73 @@ void test_stream_msgzcopy_empty_errq_server(const struct test_opts *opts)
> control_expectln("DONE");
> close(fd);
> }
>+
>+#define GOOD_COPY_LEN 128 /* net/vmw_vsock/virtio_transport_common.c */
>+
>+void test_stream_msgzcopy_mangle_client(const struct test_opts *opts)
>+{
>+ char sbuf1[PAGE_SIZE + 1], sbuf2[GOOD_COPY_LEN];
>+ unsigned long hash;
>+ struct pollfd fds;
>+ int fd, i;
>+
>+ fd = vsock_stream_connect(opts->peer_cid, opts->peer_port);
>+ if (fd < 0) {
>+ perror("connect");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ enable_so_zerocopy_check(fd);
>+
>+ memset(sbuf1, 'x', sizeof(sbuf1));
>+ send_buf(fd, sbuf1, sizeof(sbuf1), 0, sizeof(sbuf1));
>+
>+ for (i = 0; i < sizeof(sbuf2); i++)
>+ sbuf2[i] = rand() & 0xff;
>+
>+ send_buf(fd, sbuf2, sizeof(sbuf2), MSG_ZEROCOPY, sizeof(sbuf2));
>+
>+ hash = hash_djb2(sbuf2, sizeof(sbuf2));
>+ control_writeulong(hash);
>+
>+ fds.fd = fd;
>+ fds.events = 0;
>+
>+ if (poll(&fds, 1, TIMEOUT * MSEC_PER_SEC) != 1 ||
>+ !(fds.revents & POLLERR)) {
>+ perror("poll");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ close(fd);
>+}
>+
>+void test_stream_msgzcopy_mangle_server(const struct test_opts *opts)
>+{
>+ unsigned long local_hash, remote_hash;
>+ char rbuf[PAGE_SIZE + 1];
>+ int fd;
>+
>+ fd = vsock_stream_accept(VMADDR_CID_ANY, opts->peer_port, NULL);
>+ if (fd < 0) {
>+ perror("accept");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ /* Wait, don't race the (buggy) skbs coalescence. */
>+ vsock_ioctl_int(fd, SIOCINQ, PAGE_SIZE + 1 + GOOD_COPY_LEN);
>+
>+ /* Discard the first packet. */
>+ recv_buf(fd, rbuf, PAGE_SIZE + 1, 0, PAGE_SIZE + 1);
>+
>+ recv_buf(fd, rbuf, GOOD_COPY_LEN, 0, GOOD_COPY_LEN);
>+ remote_hash = control_readulong();
>+ local_hash = hash_djb2(rbuf, GOOD_COPY_LEN);
>+
>+ if (local_hash != remote_hash) {
>+ fprintf(stderr, "Data received corrupted\n");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ close(fd);
>+}
>diff --git a/tools/testing/vsock/vsock_test_zerocopy.h b/tools/testing/vsock/vsock_test_zerocopy.h
>index 3ef2579e024d..d46c91a69f16 100644
>--- a/tools/testing/vsock/vsock_test_zerocopy.h
>+++ b/tools/testing/vsock/vsock_test_zerocopy.h
>@@ -12,4 +12,7 @@ void test_seqpacket_msgzcopy_server(const struct test_opts *opts);
> void test_stream_msgzcopy_empty_errq_client(const struct test_opts *opts);
> void test_stream_msgzcopy_empty_errq_server(const struct test_opts *opts);
>
>+void test_stream_msgzcopy_mangle_client(const struct test_opts *opts);
>+void test_stream_msgzcopy_mangle_server(const struct test_opts *opts);
>+
> #endif /* VSOCK_TEST_ZEROCOPY_H */
>
>--
>2.52.0
>
next prev parent reply other threads:[~2026-01-14 10:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 15:08 [PATCH net v2 0/2] vsock/virtio: Fix data loss/disclosure due to joining of non-linear skb Michal Luczaj
2026-01-13 15:08 ` [PATCH net v2 1/2] vsock/virtio: Coalesce only linear skb Michal Luczaj
2026-01-14 9:57 ` Stefano Garzarella
2026-01-13 15:08 ` [PATCH net v2 2/2] vsock/test: Add test for a linear and non-linear skb getting coalesced Michal Luczaj
2026-01-14 10:07 ` Stefano Garzarella [this message]
2026-01-16 3:50 ` [PATCH net v2 0/2] vsock/virtio: Fix data loss/disclosure due to joining of non-linear skb patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWdq75AQZv50CMPQ@sgarzare-redhat \
--to=sgarzare@redhat.com \
--cc=avkrasnov@salutedevices.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eperezma@redhat.com \
--cc=horms@kernel.org \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stefanha@redhat.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox