* [PATCH net] vsock/virtio: fix potential unbounded skb queue
@ 2026-04-30 12:26 Eric Dumazet
2026-05-05 2:20 ` patchwork-bot+netdevbpf
2026-05-05 13:51 ` Stefano Garzarella
0 siblings, 2 replies; 6+ messages in thread
From: Eric Dumazet @ 2026-04-30 12:26 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, netdev, eric.dumazet, Eric Dumazet, Arseniy Krasnov,
Stefan Hajnoczi, Stefano Garzarella, Michael S. Tsirkin,
Jason Wang, Xuan Zhuo, Eugenio Pérez, kvm, virtualization
virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
virtio_transport_recv_enqueue() skips coalescing for packets
with VIRTIO_VSOCK_SEQ_EOM.
If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,
a very large number of packets can be queued
because vvs->rx_bytes stays at 0.
Fix this by estimating the skb metadata size:
(Number of skbs in the queue) * SKB_TRUESIZE(0)
Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: "Eugenio Pérez" <eperezma@redhat.com>
Cc: kvm@vger.kernel.org
Cc: virtualization@lists.linux.dev
---
net/vmw_vsock/virtio_transport_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 416d533f493d7b07e9c77c43f741d28cfcd0953e..9b8014516f4fb1130ae184635fbba4dfee58bd64 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -447,7 +447,9 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs,
u32 len)
{
- if (vvs->buf_used + len > vvs->buf_alloc)
+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0);
+
+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc)
return false;
vvs->rx_bytes += len;
--
2.54.0.545.g6539524ca2-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH net] vsock/virtio: fix potential unbounded skb queue 2026-04-30 12:26 [PATCH net] vsock/virtio: fix potential unbounded skb queue Eric Dumazet @ 2026-05-05 2:20 ` patchwork-bot+netdevbpf 2026-05-05 13:51 ` Stefano Garzarella 1 sibling, 0 replies; 6+ messages in thread From: patchwork-bot+netdevbpf @ 2026-05-05 2:20 UTC (permalink / raw) To: Eric Dumazet Cc: davem, kuba, pabeni, horms, netdev, eric.dumazet, AVKrasnov, stefanha, sgarzare, mst, jasowang, xuanzhuo, eperezma, kvm, virtualization Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Thu, 30 Apr 2026 12:26:52 +0000 you wrote: > virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. > > virtio_transport_recv_enqueue() skips coalescing for packets > with VIRTIO_VSOCK_SEQ_EOM. > > If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, > a very large number of packets can be queued > because vvs->rx_bytes stays at 0. > > [...] Here is the summary with links: - [net] vsock/virtio: fix potential unbounded skb queue https://git.kernel.org/netdev/net/c/059b7dbd20a6 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] vsock/virtio: fix potential unbounded skb queue 2026-04-30 12:26 [PATCH net] vsock/virtio: fix potential unbounded skb queue Eric Dumazet 2026-05-05 2:20 ` patchwork-bot+netdevbpf @ 2026-05-05 13:51 ` Stefano Garzarella 2026-05-05 14:14 ` Eric Dumazet 1 sibling, 1 reply; 6+ messages in thread From: Stefano Garzarella @ 2026-05-05 13:51 UTC (permalink / raw) To: Eric Dumazet Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev, eric.dumazet, Arseniy Krasnov, Stefan Hajnoczi, Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Eugenio Pérez, kvm, virtualization On Thu, Apr 30, 2026 at 12:26:52PM +0000, Eric Dumazet wrote: >virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. > >virtio_transport_recv_enqueue() skips coalescing for packets >with VIRTIO_VSOCK_SEQ_EOM. > >If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, >a very large number of packets can be queued >because vvs->rx_bytes stays at 0. > >Fix this by estimating the skb metadata size: > > (Number of skbs in the queue) * SKB_TRUESIZE(0) > >Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") >Signed-off-by: Eric Dumazet <edumazet@google.com> >Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru> >Cc: Stefan Hajnoczi <stefanha@redhat.com> >Cc: Stefano Garzarella <sgarzare@redhat.com> >Cc: "Michael S. Tsirkin" <mst@redhat.com> >Cc: Jason Wang <jasowang@redhat.com> >Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com> >Cc: "Eugenio Pérez" <eperezma@redhat.com> >Cc: kvm@vger.kernel.org >Cc: virtualization@lists.linux.dev >--- > net/vmw_vsock/virtio_transport_common.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c >index 416d533f493d7b07e9c77c43f741d28cfcd0953e..9b8014516f4fb1130ae184635fbba4dfee58bd64 100644 >--- a/net/vmw_vsock/virtio_transport_common.c >+++ b/net/vmw_vsock/virtio_transport_common.c >@@ -447,7 +447,9 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, > static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, > u32 len) > { >- if (vvs->buf_used + len > vvs->buf_alloc) >+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); >+ >+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) > return false; I'm not sure about this fix, I mean that maybe this is incomplete. In virtio-vsock, there is a credit mechanism between the two peers: https://docs.oasis-open.org/virtio/virtio/v1.3/csd01/virtio-v1.3-csd01.html#x1-4850003 This takes only the payload into account, so it’s true that this problem exists; however, perhaps we should also inform the other peer of a lower credit balance, otherwise the other peer will believe it has much more credit than it actually does, send a large payload, and then the packet will be discarded and the data lost (there are no retransmissions, etc.). Thanks, Stefano ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] vsock/virtio: fix potential unbounded skb queue 2026-05-05 13:51 ` Stefano Garzarella @ 2026-05-05 14:14 ` Eric Dumazet 2026-05-05 16:11 ` Stefano Garzarella 0 siblings, 1 reply; 6+ messages in thread From: Eric Dumazet @ 2026-05-05 14:14 UTC (permalink / raw) To: Stefano Garzarella Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev, eric.dumazet, Arseniy Krasnov, Stefan Hajnoczi, Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Eugenio Pérez, kvm, virtualization On Tue, May 5, 2026 at 6:52 AM Stefano Garzarella <sgarzare@redhat.com> wrote: > > On Thu, Apr 30, 2026 at 12:26:52PM +0000, Eric Dumazet wrote: > >virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. > > > >virtio_transport_recv_enqueue() skips coalescing for packets > >with VIRTIO_VSOCK_SEQ_EOM. > > > >If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, > >a very large number of packets can be queued > >because vvs->rx_bytes stays at 0. > > > >Fix this by estimating the skb metadata size: > > > > (Number of skbs in the queue) * SKB_TRUESIZE(0) > > > >Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") > >Signed-off-by: Eric Dumazet <edumazet@google.com> > >Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru> > >Cc: Stefan Hajnoczi <stefanha@redhat.com> > >Cc: Stefano Garzarella <sgarzare@redhat.com> > >Cc: "Michael S. Tsirkin" <mst@redhat.com> > >Cc: Jason Wang <jasowang@redhat.com> > >Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com> > >Cc: "Eugenio Pérez" <eperezma@redhat.com> > >Cc: kvm@vger.kernel.org > >Cc: virtualization@lists.linux.dev > >--- > > net/vmw_vsock/virtio_transport_common.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c > >index 416d533f493d7b07e9c77c43f741d28cfcd0953e..9b8014516f4fb1130ae184635fbba4dfee58bd64 100644 > >--- a/net/vmw_vsock/virtio_transport_common.c > >+++ b/net/vmw_vsock/virtio_transport_common.c > >@@ -447,7 +447,9 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, > > static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, > > u32 len) > > { > >- if (vvs->buf_used + len > vvs->buf_alloc) > >+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); > >+ > >+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) > > return false; > > I'm not sure about this fix, I mean that maybe this is incomplete. > In virtio-vsock, there is a credit mechanism between the two peers: > https://docs.oasis-open.org/virtio/virtio/v1.3/csd01/virtio-v1.3-csd01.html#x1-4850003 > > This takes only the payload into account, so it’s true that this problem > exists; however, perhaps we should also inform the other peer of a lower > credit balance, otherwise the other peer will believe it has much more > credit than it actually does, send a large payload, and then the packet > will be discarded and the data lost (there are no retransmissions, > etc.). I dunno, perhaps revert 077706165717 ("virtio/vsock: don't use skbuff state to account credit") and find a better fix then? There is always a discrepancy between skb->len and skb->truesize. You will not be able to announce a 1MB window, and accept one milliion skb of 1-byte each. This kind of contract is broken. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] vsock/virtio: fix potential unbounded skb queue 2026-05-05 14:14 ` Eric Dumazet @ 2026-05-05 16:11 ` Stefano Garzarella 2026-05-05 16:37 ` Bobby Eshleman 0 siblings, 1 reply; 6+ messages in thread From: Stefano Garzarella @ 2026-05-05 16:11 UTC (permalink / raw) To: Eric Dumazet, Arseniy Krasnov, Bobby Eshleman, Stefan Hajnoczi, Michael S. Tsirkin Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev, eric.dumazet, Arseniy Krasnov, Stefan Hajnoczi, Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Eugenio Pérez, kvm, virtualization On Tue, May 05, 2026 at 07:14:36AM -0700, Eric Dumazet wrote: >On Tue, May 5, 2026 at 6:52 AM Stefano Garzarella <sgarzare@redhat.com> wrote: >> >> On Thu, Apr 30, 2026 at 12:26:52PM +0000, Eric Dumazet wrote: >> >virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. >> > >> >virtio_transport_recv_enqueue() skips coalescing for packets >> >with VIRTIO_VSOCK_SEQ_EOM. >> > >> >If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, >> >a very large number of packets can be queued >> >because vvs->rx_bytes stays at 0. >> > >> >Fix this by estimating the skb metadata size: >> > >> > (Number of skbs in the queue) * SKB_TRUESIZE(0) >> > >> >Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") >> >Signed-off-by: Eric Dumazet <edumazet@google.com> >> >Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru> >> >Cc: Stefan Hajnoczi <stefanha@redhat.com> >> >Cc: Stefano Garzarella <sgarzare@redhat.com> >> >Cc: "Michael S. Tsirkin" <mst@redhat.com> >> >Cc: Jason Wang <jasowang@redhat.com> >> >Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com> >> >Cc: "Eugenio Pérez" <eperezma@redhat.com> >> >Cc: kvm@vger.kernel.org >> >Cc: virtualization@lists.linux.dev >> >--- >> > net/vmw_vsock/virtio_transport_common.c | 4 +++- >> > 1 file changed, 3 insertions(+), 1 deletion(-) >> > >> >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c >> >index 416d533f493d7b07e9c77c43f741d28cfcd0953e..9b8014516f4fb1130ae184635fbba4dfee58bd64 100644 >> >--- a/net/vmw_vsock/virtio_transport_common.c >> >+++ b/net/vmw_vsock/virtio_transport_common.c >> >@@ -447,7 +447,9 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, >> > static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, >> > u32 len) >> > { >> >- if (vvs->buf_used + len > vvs->buf_alloc) >> >+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); >> >+ >> >+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) >> > return false; >> >> I'm not sure about this fix, I mean that maybe this is incomplete. >> In virtio-vsock, there is a credit mechanism between the two peers: >> https://docs.oasis-open.org/virtio/virtio/v1.3/csd01/virtio-v1.3-csd01.html#x1-4850003 >> >> This takes only the payload into account, so it’s true that this problem >> exists; however, perhaps we should also inform the other peer of a lower >> credit balance, otherwise the other peer will believe it has much more >> credit than it actually does, send a large payload, and then the packet >> will be discarded and the data lost (there are no retransmissions, >> etc.). > >I dunno, perhaps revert 077706165717 ("virtio/vsock: don't use skbuff >state to account credit") >and find a better fix then? IIRC the same issue was there before the commit fixed by that one (commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")), so not sure about reverting it TBH. CCing Arseniy and Bobby. > >There is always a discrepancy between skb->len and skb->truesize. >You will not be able to announce a 1MB window, and accept one milliion >skb of 1-byte each. > >This kind of contract is broken. > Yep, I agree, but before we start discarding data (and losing it), IMHO we should at least inform the other peer that we're out of space. @Stefan, @Michael, do you think we can do something in the spec to avoid this issue and in some way take into account also the metadata in the credit. I mean to avoid the 1-byte packets flooding. Thanks, Stefano ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] vsock/virtio: fix potential unbounded skb queue 2026-05-05 16:11 ` Stefano Garzarella @ 2026-05-05 16:37 ` Bobby Eshleman 0 siblings, 0 replies; 6+ messages in thread From: Bobby Eshleman @ 2026-05-05 16:37 UTC (permalink / raw) To: Stefano Garzarella Cc: Eric Dumazet, Arseniy Krasnov, Bobby Eshleman, Stefan Hajnoczi, Michael S. Tsirkin, David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev, eric.dumazet, Arseniy Krasnov, Jason Wang, Xuan Zhuo, Eugenio Pérez, kvm, virtualization On Tue, May 05, 2026 at 06:11:13PM +0200, Stefano Garzarella wrote: > On Tue, May 05, 2026 at 07:14:36AM -0700, Eric Dumazet wrote: > > On Tue, May 5, 2026 at 6:52 AM Stefano Garzarella <sgarzare@redhat.com> wrote: > > > > > > On Thu, Apr 30, 2026 at 12:26:52PM +0000, Eric Dumazet wrote: > > > >virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc. > > > > > > > >virtio_transport_recv_enqueue() skips coalescing for packets > > > >with VIRTIO_VSOCK_SEQ_EOM. > > > > > > > >If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, > > > >a very large number of packets can be queued > > > >because vvs->rx_bytes stays at 0. > > > > > > > >Fix this by estimating the skb metadata size: > > > > > > > > (Number of skbs in the queue) * SKB_TRUESIZE(0) > > > > > > > >Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") > > > >Signed-off-by: Eric Dumazet <edumazet@google.com> > > > >Cc: Arseniy Krasnov <AVKrasnov@sberdevices.ru> > > > >Cc: Stefan Hajnoczi <stefanha@redhat.com> > > > >Cc: Stefano Garzarella <sgarzare@redhat.com> > > > >Cc: "Michael S. Tsirkin" <mst@redhat.com> > > > >Cc: Jason Wang <jasowang@redhat.com> > > > >Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com> > > > >Cc: "Eugenio Pérez" <eperezma@redhat.com> > > > >Cc: kvm@vger.kernel.org > > > >Cc: virtualization@lists.linux.dev > > > >--- > > > > net/vmw_vsock/virtio_transport_common.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c > > > >index 416d533f493d7b07e9c77c43f741d28cfcd0953e..9b8014516f4fb1130ae184635fbba4dfee58bd64 100644 > > > >--- a/net/vmw_vsock/virtio_transport_common.c > > > >+++ b/net/vmw_vsock/virtio_transport_common.c > > > >@@ -447,7 +447,9 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, > > > > static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, > > > > u32 len) > > > > { > > > >- if (vvs->buf_used + len > vvs->buf_alloc) > > > >+ u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * SKB_TRUESIZE(0); > > > >+ > > > >+ if (skb_overhead + vvs->buf_used + len > vvs->buf_alloc) > > > > return false; > > > > > > I'm not sure about this fix, I mean that maybe this is incomplete. > > > In virtio-vsock, there is a credit mechanism between the two peers: > > > https://docs.oasis-open.org/virtio/virtio/v1.3/csd01/virtio-v1.3-csd01.html#x1-4850003 > > > > > > This takes only the payload into account, so it’s true that this problem > > > exists; however, perhaps we should also inform the other peer of a lower > > > credit balance, otherwise the other peer will believe it has much more > > > credit than it actually does, send a large payload, and then the packet > > > will be discarded and the data lost (there are no retransmissions, > > > etc.). > > > > I dunno, perhaps revert 077706165717 ("virtio/vsock: don't use skbuff > > state to account credit") > > and find a better fix then? > > IIRC the same issue was there before the commit fixed by that one (commit > 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")), so > not sure about reverting it TBH. > > CCing Arseniy and Bobby. > > > > > There is always a discrepancy between skb->len and skb->truesize. > > You will not be able to announce a 1MB window, and accept one milliion > > skb of 1-byte each. > > > > This kind of contract is broken. > > > > Yep, I agree, but before we start discarding data (and losing it), IMHO we > should at least inform the other peer that we're out of space. > > @Stefan, @Michael, do you think we can do something in the spec to avoid > this issue and in some way take into account also the metadata in the > credit. I mean to avoid the 1-byte packets flooding. > > Thanks, > Stefano > > Indeed the old pre-fix skb code would have the same issue. I can't think of any way around this without extending the spec. Best, Bobby ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-05 16:37 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-30 12:26 [PATCH net] vsock/virtio: fix potential unbounded skb queue Eric Dumazet 2026-05-05 2:20 ` patchwork-bot+netdevbpf 2026-05-05 13:51 ` Stefano Garzarella 2026-05-05 14:14 ` Eric Dumazet 2026-05-05 16:11 ` Stefano Garzarella 2026-05-05 16:37 ` Bobby Eshleman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox