From nobody Sun Feb 8 23:24:45 2026 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 040332DF68 for ; Wed, 17 Dec 2025 18:12:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765995158; cv=none; b=H8C57ydfZPUvWNSefEuclfuFUzRk0O2eozn+hRYIYAQ/MdwE9vDxtjvXwrQW3Jblr4ybb3rf8VbUb+ItpouB9xCJdHRXN6tMBx+QjFuZjiTn/DItN+WWziF4nIiqiA7QYsLwWoGpM9GVQdF/VOTqu6BMQRDW1nlnIaG+5RbuSps= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765995158; c=relaxed/simple; bh=Jmqh+IeYEuPfjt31rwC4R8TE4lp1zQaI90wvXPqlmWk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=UmeU/kkw3dS2LURm7mn9xs/EYjsZMOIcIQGWAUnaqqkh35J+u9RPnxgRySg6QYhSNozWsMG8OGWusid5QN8oTR+yJuI9c90NlRv1dFFAhHemMMXhLyznfRZmAIuU6f3Hl/IHKKTuKrEqrC9rmalKkBFPfe6eg2AV1InkCcqBcEA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mUGTr0S1; arc=none smtp.client-ip=209.85.167.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mUGTr0S1" Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-598f59996aaso883193e87.1 for ; Wed, 17 Dec 2025 10:12:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765995150; x=1766599950; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=F+qEOT5fYFn8bKw8MykPWrfcTTy8Zhs7SgEc83K5GNw=; b=mUGTr0S1hNDy11oFxzMwD6LIKfLNvr29epV5m9bRtT4p3FFDNHk96OuCvO4caJorqU CwlVDtic3mu7OYvHghSRdxATFA2aPLkp6yH2XG5H4VAnLRW0RPh2pmMB4fB4i+VYBmyc MVSwQIG7oEO8JFc+oT+Aa5ZiGU4rbUubz3zvqT3gscIhbHOEXzMoFj1c2V2wrDzoFzKm 2JeSratQTkZ/bEVzatEiYo330fqsneTSbf0ME9/gLzhXv3iMAf7xI9dQeRQaiTpjx+Gd Jj26DaEmjhBZQsKjJv9z5mLJNrA/ggtruEliL+NZGwpAErA0Hx7u0ZHdp3+z8wwQa8OP FpOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765995150; x=1766599950; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=F+qEOT5fYFn8bKw8MykPWrfcTTy8Zhs7SgEc83K5GNw=; b=erj7rOPeA2xB00IfALIW0RYhICkb7rmebdVXOzSxkNhxjjIiOYcHIqGUgaiMLuWrG8 hzbUhgaVutSnVehAxwHwlTBl3mLNXsddzzm/fOoPxagZbt1rIjMeEbXr3NrnkKBQmshn NqID7MBFJsSnTePX8XWvaGNB7JsrngAkaAolCtWlgSm2k1NyqdJkFE759l1++qPpcOew XOEQoV0O1CGV2H5mapaxD+Sy7nRqx7yay+pzhABxfZzuq8qu479sHwBmAgllKmhC3NEn HH9MRtMPrK9Gvb1e4I06kznylo9EFluxy8X6nB0TDZDjnxkLHopJBlUJHil+Tots31jQ eRdg== X-Forwarded-Encrypted: i=1; AJvYcCWeCPh49Z0FnXJePpYze2OV638/QYq5edzhPX7dzXK8ucg53qKSdywTMGoZenHxYR5EWJQWsW8bNrBnGQk=@vger.kernel.org X-Gm-Message-State: AOJu0YxUZZhurFBGXKjkAXo/Sha+esiavDM4iGQ02hz4Nloe4EP47gL/ /De1wyOYn0xijdUQs/OAKEcwU4unU7CxTupSP1GGPYakAoT5D/5EABMD X-Gm-Gg: AY/fxX7bpjzNHwctVZNLTwkSB0W27+94hYEZ8d5Pz1KbXvd+/D0OJ9LkJ4RCZ1g/oRR 4qDB7kUSWKWMdDoy1qj6Iagvb85Uicws9vduap5JOVP+08DPAcU/3pgexF/x1UNOuPnfyDf1SCR YzKsdctgUu2j4O73/mOjDvoWNRQM1uTtbneupgpnpaYqjraKJ6udr775ivm8lM3H4JhL2dwABPp nkAHgQACVot9CH9MgEnTaZhBiYFJWX61WuRqF/+nL4wf15J1UjE4MsHL/0x9sQAUX5nkMO8uVf2 vlInNJqQygO5O3AzCp9YBGHdKy6qjToGsp3vNzfHoSol9H/cSnw9bDwr5nyRMy9+hPXQwPS+SVT c+n/adNgv8NWr2pOaUxmL/qDm0MYq7fgZt7sETBUnVADfQM3IKDaqU30b9XkiRdzCH2SCpN1+qO 5wAnoOErOud0U= X-Google-Smtp-Source: AGHT+IFaImgQ8mUsB8FX9vCVAZe8oyinyLF2HvL8aiazJQVjXwZSAkQ7Y1ZG0/etX5aTcNag1fMWgA== X-Received: by 2002:a05:6512:3e0e:b0:595:840c:cdd0 with SMTP id 2adb3069b0e04-598faa14759mr5788325e87.2.1765995149770; Wed, 17 Dec 2025 10:12:29 -0800 (PST) Received: from Ubuntu-2204-jammy-amd64-base.. ([2a01:4f9:6a:4e9f::2]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5990da790efsm2591419e87.102.2025.12.17.10.12.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Dec 2025 10:12:29 -0800 (PST) From: Melbin K Mathew To: stefanha@redhat.com, sgarzare@redhat.com Cc: kvm@vger.kernel.org, netdev@vger.kernel.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, eperezma@redhat.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, Melbin K Mathew Subject: [PATCH net v4 1/4] vsock/virtio: fix potential underflow in virtio_transport_get_credit() Date: Wed, 17 Dec 2025 19:12:03 +0100 Message-Id: <20251217181206.3681159-2-mlbnkm1@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20251217181206.3681159-1-mlbnkm1@gmail.com> References: <20251217181206.3681159-1-mlbnkm1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret =3D vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Use s64 arithmetic for the subtraction and clamp negative results to zero, matching the approach already used in virtio_transport_has_space(). Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") Suggested-by: Stefano Garzarella Signed-off-by: Melbin K Mathew --- net/vmw_vsock/virtio_transport_common.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio= _transport_common.c index dcc8a1d5851e..d692b227912d 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -494,14 +494,25 @@ EXPORT_SYMBOL_GPL(virtio_transport_consume_skb_sent); u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) { u32 ret; + u32 inflight; + s64 bytes; =20 if (!credit) return 0; =20 spin_lock_bh(&vvs->tx_lock); - ret =3D vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); - if (ret > credit) - ret =3D credit; + + /* + * Compute available space using s64 to avoid underflow if + * peer_buf_alloc < inflight bytes (can happen if peer shrinks + * its advertised buffer while data is in flight). + */ + inflight =3D vvs->tx_cnt - vvs->peer_fwd_cnt; + bytes =3D (s64)vvs->peer_buf_alloc - inflight; + if (bytes < 0) + bytes =3D 0; + + ret =3D (bytes > credit) ? credit : (u32)bytes; vvs->tx_cnt +=3D ret; vvs->bytes_unsent +=3D ret; spin_unlock_bh(&vvs->tx_lock); --=20 2.34.1