From nobody Sun Dec 14 06:34:29 2025 Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D2212139CE for ; Wed, 10 Dec 2025 13:33:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765373606; cv=none; b=A6T4nR28jG/r7lUWTWqyI02M8wZemjFIn54WLDJ5z6dEDis9eFEmaS3TIgARzyxOtX841N7GRoA4imwcp2W4VKKp9Pr8otPm29bcmLs7DRMPP/SgAccV97DkXfEM2Jozy2GbmvJVwZ2zDA6N/L1MumbLNoZY8olTg5q2acKYbGE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765373606; c=relaxed/simple; bh=0wLH31HDwfSTe/1EuiWHtYsukRblUE1QRCxb3uKciDA=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=pRiIoX7R8gfbMq3m6YZ3jXOS7LTmCIPLLWYEAdRbF6Rn0+nUscMUvgGuHlbFUwLDGoD4v9X8xAB5/4RSKPlqCcSjlkLieF4p5N4WpV3nELe71Snr66mKvhg1zuG27Mt95d6EwlOIVpfHKkNzIBbRG+GRN1ngLzwpOmXrSl8F9Jo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PiVVUu75; arc=none smtp.client-ip=209.85.167.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PiVVUu75" Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-594330147efso7557481e87.2 for ; Wed, 10 Dec 2025 05:33:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765373602; x=1765978402; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=oD5ipYc8BirTwTUNyp9GQ08Nz/lO30YuP7q1nZr2KbU=; b=PiVVUu75bWCXiK4djEq6YzAIZ8Q2amFfFDi/kFoeq4EtsLT7j08dTo71s1+DR3SxyP o9K7U4zmpwbxhoUcHq/e0sGrjkoQ3PIbCugVdKqv8gMoaNDFyivxszgAEoHc+zql1tp3 Y/n7+c0HNrku/xie9Z3hEAY2tHu/ySqcN3NCW7RNC23bfxRndrHJ3ESe8t9wg6wgfoHX G7YoSQ1gYgLUHpf6ZZQ7Vup73obRTEBYazzkNw8fSZQpbYN4FdQ34FXZgraDeI8440cZ J05chF8bw5oakZnDfayE8Xa8hI/5TJt54hgyyjKNuGVMywoB561xCW6YXKzgMmEDgTrn EgnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765373602; x=1765978402; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oD5ipYc8BirTwTUNyp9GQ08Nz/lO30YuP7q1nZr2KbU=; b=kDAD8goYnKy5KefUdhqFPpERdLHzPuGtR+0jFlwW6lv4v7kqdVpSJjmwvbULpzxqG7 M4XLSf51rHHG29mXo/6v+GesM8+x40JnEn4NrvWVkGiMU9SkTvwXDzSEosHJmxvCH0dU EhDDzoMAboNMmhTE2N280sL6d1PX4XteoH8LOR4+4zTc9CIBdENOsxvkazeBaPv0eApk ZTmrU2oRIHhC5W4MTnIlOhXzx9AgBzHFe2WI6LZ2YS6MFSNzoaY8X3vWzXUHqTQ+CYWB a1w2L+uiwxMSuAUkgekmNLAtTL7HjYWvOWhIcgSCylTBLwVCWJ0rjJCWO+MQZKusSq4q +qnQ== X-Forwarded-Encrypted: i=1; AJvYcCUx0fRf1hyb10AQeew9inIvEUOlMFeiMFca06EJCcBijlKiTorWS3wqIrLQa9WclYnctaNcCjgZ/kOZyNY=@vger.kernel.org X-Gm-Message-State: AOJu0Yy1nPOIW9YU77vLtlb9pGtxDsvL94qeqTccMC+Syna+hpqYI6mh F/Yks4y45XGKmLYnjts6PQLXQP6zmCqDqyXI3VoQKhh8pfJgYYG1Wy6T X-Gm-Gg: AY/fxX79fdNfUO86Sj/ck6pTor/LwA+6Ye+FFYTJm5VnJSMrm8xAAxCV6/d0DYu8koZ tfX7kop6NL+swgcTQYvieRDwCr8mjDAxE6GKxP928UbsgqWzK+yCr+2z4/7HkT/ymOVUQg0HWRk ZgQBeKXBI9gi6dLhOPWfgUU4aJATDZccmhCRpSgtSNFsiqHcnFG2hjv6CaZYbE3Vj0YHH5a8KSB HtfN6BTgFMtn3FdRh5THFYlEmU7YVE8M4LXjZr43FMUGFAJjnbgdFZI3EnoDJlLSyLhrH04Azgv b5Ghgkg7uVB4Y/lr4GcwIbVPaDC1c+PeyF5KBKBKlnN0f0Yd4OtJAHpvC8hMsNgp+982xBpauPm Afdz+PrL+pmy0jF6lEioirOiw7LM2Z0PY6r418YVxWcxjiYxMsS+i+z3rvlTFGwLh33X7GwrmZ5 PrFkJ3L8Ka9PI= X-Google-Smtp-Source: AGHT+IGuUo6ZoxmOLPJELy4E+MQsRaQCeY8UlKN8xDwSV5aN/WHR1k1qW9H8XravEGuc7+/9yStW0A== X-Received: by 2002:a05:6512:3d8c:b0:595:9d90:5dc6 with SMTP id 2adb3069b0e04-598ee4e6446mr990906e87.19.1765373602129; Wed, 10 Dec 2025 05:33:22 -0800 (PST) Received: from Ubuntu-2204-jammy-amd64-base.. ([2a01:4f9:6a:4e9f::2]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-597d7c1e2acsm6473621e87.61.2025.12.10.05.33.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Dec 2025 05:33:21 -0800 (PST) From: Melbin K Mathew To: netdev@vger.kernel.org Cc: virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, sgarzare@redhat.com, stefanha@redhat.com, mst@redhat.com, jasowang@redhat.com, Melbin K Mathew Subject: [PATCH net] vsock/virtio: cap TX credit to local buffer size Date: Wed, 10 Dec 2025 14:32:59 +0100 Message-Id: <20251210133259.16238-1-mlbnkm1@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The virtio vsock transport currently derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. Introduce a small helper, virtio_transport_peer_buf_alloc(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc: - virtio_transport_get_credit() - virtio_transport_has_space() - virtio_transport_seqpacket_enqueue() This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote guest cannot force the host to queue more data than allowed by the host's own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB and the system only recovered after killing the QEMU process. With this patch applied, rerunning the same PoC yields: Before: MemFree: ~61.6 GiB MemAvailable: ~62.3 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB MemAvailable: ~62.3 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB i.e. only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Reported-by: Melbin K Mathew Signed-off-by: Melbin K Mathew --- net/vmw_vsock/virtio_transport_common.c | 27 ++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio= _transport_common.c index dcc8a1d58..f5afedf01 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -491,6 +491,25 @@ void virtio_transport_consume_skb_sent(struct sk_buff = *skb, bool consume) } EXPORT_SYMBOL_GPL(virtio_transport_consume_skb_sent); =20 +/* + * Return the effective peer buffer size for TX credit computation. + * + * The peer advertises its receive buffer via peer_buf_alloc, but we + * cap that to our local buf_alloc (derived from + * SO_VM_SOCKETS_BUFFER_SIZE and already clamped to buffer_max_size) + * so that a remote endpoint cannot force us to queue more data than + * our own configuration allows. + */ +static u32 virtio_transport_peer_buf_alloc(struct virtio_vsock_sock *vvs) +{ + u32 peer =3D vvs->peer_buf_alloc; + u32 local =3D vvs->buf_alloc; + + if (peer > local) + return local; + return peer; +} + u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) { u32 ret; @@ -499,7 +518,8 @@ u32 virtio_transport_get_credit(struct virtio_vsock_soc= k *vvs, u32 credit) return 0; =20 spin_lock_bh(&vvs->tx_lock); - ret =3D vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + ret =3D virtio_transport_peer_buf_alloc(vvs) - + (vvs->tx_cnt - vvs->peer_fwd_cnt); if (ret > credit) ret =3D credit; vvs->tx_cnt +=3D ret; @@ -831,7 +851,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *v= sk, =20 spin_lock_bh(&vvs->tx_lock); =20 - if (len > vvs->peer_buf_alloc) { + if (len > virtio_transport_peer_buf_alloc(vvs)) { spin_unlock_bh(&vvs->tx_lock); return -EMSGSIZE; } @@ -882,7 +902,8 @@ static s64 virtio_transport_has_space(struct vsock_sock= *vsk) struct virtio_vsock_sock *vvs =3D vsk->trans; s64 bytes; =20 - bytes =3D (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + bytes =3D (s64)virtio_transport_peer_buf_alloc(vvs) - + (vvs->tx_cnt - vvs->peer_fwd_cnt); if (bytes < 0) bytes =3D 0; =20 --=20 2.34.1