From nobody Mon Feb  9 17:07:26 2026
Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com
 [185.226.149.38])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 857254383B6;
	Thu,  8 Jan 2026 09:55:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.226.149.38
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767866153; cv=none;
 b=LCGhtrRwOBNcLZohLwl1Y/ZnPbILinzg3f4Tp8Xz+53wecbq6aDJHsa8Z2pGiOgDwsjnCktAyYC44tgWs2aygBI+wLIB7gXEpguABtd2k+DaRcP/N8+PctbTMXX/w5JSsVG9TKLoBsZvbzG1VbJVbHLd3JcLI6uYQmb9U8dbxmA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767866153; c=relaxed/simple;
	bh=iJfRlKeMUO7hZk716maG+9Rh9rC1sx9th/OS3Y5rewY=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=q3KvweVr+wvaM4ARlE0wh8SEM5sRkhr8lqrIuQHlE2mXPWXTSI1nt63DkGYAZM1pPlDu9m2a2+g42HX1DwIcaLFCDB19tB5fFheleOBEAdEh/AQIs/b0Kr43mOsSaTf07OaUG/IqhMYcb0TkACDkCjxlCrcu0uPHKvxqCvo9nks=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co;
 spf=pass smtp.mailfrom=rbox.co;
 dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b=Q45wSUUn; arc=none smtp.client-ip=185.226.149.38
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b="Q45wSUUn"
Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com)
	by mailtransmit05.runbox.com with esmtps  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.93)
	(envelope-from <mhal@rbox.co>)
	id 1vdmjp-0000fG-Bo; Thu, 08 Jan 2026 10:55:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co;
	s=selector2; h=Cc:To:In-Reply-To:References:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From;
	bh=gzlvfrpy1K4hTAKMoW8f2yDrhOt+qjbv/u9I1nI7fRQ=; b=Q45wSUUnWNiVYCZbUUNhSTyRcY
	mRH+IgOIKbTp1Ap6wKfOnOuvNUEW5qCalkNl5ctk77fCu2OhYW2Mp6PyO3fXPGkB9FcePhWfqw2S1
	Bql2Z3+dFKRv+pMpmglg0dmf1+UO1RJRRZlsQftFG7Jk4Ho5apkLHxTzYfdmDSqd3gc2Ej8yeach/
	1lRK1aRXJr9LwNTfIEw2CLyaGona4xXfWoD+R6IzlkqlpK/9u7OJhFcaasYpmqCdyQrZ6fyEdjpk9
	9+/xjosh4NFC0TN96qc0CJx07Mdxmf7p3IalQLMZS0CrKdergnizPbfjWBU+lTeEYbEuGTYmw6H+5
	ECtXQCqw==;
Received: from [10.9.9.73] (helo=submission02.runbox)
	by mailtransmit02.runbox with esmtp (Exim 4.86_2)
	(envelope-from <mhal@rbox.co>)
	id 1vdmjm-0000eJ-Sx; Thu, 08 Jan 2026 10:55:27 +0100
Received: by submission02.runbox with esmtpsa  [Authenticated ID (604044)]
  (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id 1vdmjZ-00AchK-PX; Thu, 08 Jan 2026 10:55:13 +0100
From: Michal Luczaj <mhal@rbox.co>
Date: Thu, 08 Jan 2026 10:54:54 +0100
Subject: [PATCH 1/2] vsock/virtio: Coalesce only linear skb
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260108-vsock-recv-coalescence-v1-1-26f97bb9a99b@rbox.co>
References: <20260108-vsock-recv-coalescence-v1-0-26f97bb9a99b@rbox.co>
In-Reply-To: <20260108-vsock-recv-coalescence-v1-0-26f97bb9a99b@rbox.co>
To: "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>,
 Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
 =?utf-8?q?Eugenio_P=C3=A9rez?= <eperezma@redhat.com>,
 Stefan Hajnoczi <stefanha@redhat.com>,
 Stefano Garzarella <sgarzare@redhat.com>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>,
 Arseniy Krasnov <avkrasnov@salutedevices.com>
Cc: kvm@vger.kernel.org, virtualization@lists.linux.dev,
 netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
 Michal Luczaj <mhal@rbox.co>
X-Mailer: b4 0.14.3

Vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
(with a spare tail room) is followed by a small skb (length limited by
GOOD_COPY_LEN =3D 128), an attempt is made to join them.

Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
will always be linear is incorrect (see loopback transport). In the
zerocopy case, data is lost and the linear skb is appended with
uninitialized kernel memory.

Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
guarantees last_skb is linear.

Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
 net/vmw_vsock/virtio_transport_common.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio=
_transport_common.c
index dcc8a1d5851e..cf35eb7190cc 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1375,7 +1375,8 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk,
 		 * of a new message.
 		 */
 		if (skb->len < skb_tailroom(last_skb) &&
-		    !(le32_to_cpu(last_hdr->flags) & VIRTIO_VSOCK_SEQ_EOM)) {
+		    !(le32_to_cpu(last_hdr->flags) & VIRTIO_VSOCK_SEQ_EOM) &&
+		    !skb_is_nonlinear(skb)) {
 			memcpy(skb_put(last_skb, skb->len), skb->data, skb->len);
 			free_pkt =3D true;
 			last_hdr->flags |=3D hdr->flags;

--=20
2.52.0
From nobody Mon Feb  9 17:07:26 2026
Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com
 [185.226.149.38])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 757DB43838E;
	Thu,  8 Jan 2026 09:55:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.226.149.38
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767866151; cv=none;
 b=d50LExh0a7nNHBiKAZMV+crY7lHBiCQ6VwRR4/gkQe+Y21//7VbxsAq4gInMl8XNIyR3mmWajYp2CW4q+RbWsrEb+DtCzntNuOQNfIMybee+1sgIzf4AqsMXUBLWsB+9Vwd6Wl1I+YQe1U8K9baoj9qmcVNbjZFeEtxUpLcdggw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767866151; c=relaxed/simple;
	bh=3jZ3PnY0rvRwje5pT8WFOnFUVsdmBIg6g8gCqqdjnXk=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=RGiEMVM8xpsfN1Abxp+GI+cI8/O+RBkK2wcszaKiaA6bfOmISdt+R+fcaDASjAFl0sEO6M3wo2v0xCqN3sujWLNilDufGoEt1uAprBNqSXZa+tWMu2ikSp/X6jvdyfUsI1rSNvtsSDZq2cSSYn7oEzXOhFmwMtz3i9UP+T1nzro=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co;
 spf=pass smtp.mailfrom=rbox.co;
 dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b=izlHfe2F; arc=none smtp.client-ip=185.226.149.38
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b="izlHfe2F"
Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com)
	by mailtransmit05.runbox.com with esmtps  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.93)
	(envelope-from <mhal@rbox.co>)
	id 1vdmjp-0000fE-4k; Thu, 08 Jan 2026 10:55:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co;
	s=selector2; h=Cc:To:In-Reply-To:References:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From;
	bh=YpKDnmUVRDQ3EFb4NR3P8XxM1eDZ24y3Eu5jxeXe8E4=; b=izlHfe2FXrL341BQRbKcZ49gRl
	hesTB2RqKJ+7ZwBnW4CVkubzBMnnkxJjKo52Za/hefJN6tUKFKmoPM3BqzAMN2rvzR1UIs7CG/B+R
	qA7AOT8nqDyc9ZaD0C3/q2DIoCvBXUdXWsgOMxbvIZMLDO5lQeIZjsPBCQLtlIDObkCRoQHRPYW2q
	IFbMeBkjEj5j6BYXal6ocYlj+sVp7v9w8JKGQ/YOK90D1UKKoDl9wqvfBtk1BbYLbcUryv85BsgOe
	lYH82W6mpZBCEoxsA70HnN+kUY9lo5K92a9atdH110n+6u/EdR3UcvV3jhZPgr+0d7Huf3Xv6AN1S
	mLDV2HeQ==;
Received: from [10.9.9.73] (helo=submission02.runbox)
	by mailtransmit02.runbox with esmtp (Exim 4.86_2)
	(envelope-from <mhal@rbox.co>)
	id 1vdmjo-0000eX-1W; Thu, 08 Jan 2026 10:55:28 +0100
Received: by submission02.runbox with esmtpsa  [Authenticated ID (604044)]
  (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id 1vdmja-00AchK-O4; Thu, 08 Jan 2026 10:55:14 +0100
From: Michal Luczaj <mhal@rbox.co>
Date: Thu, 08 Jan 2026 10:54:55 +0100
Subject: [PATCH 2/2] vsock/test: Add test for a linear and non-linear skb
 getting coalesced
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260108-vsock-recv-coalescence-v1-2-26f97bb9a99b@rbox.co>
References: <20260108-vsock-recv-coalescence-v1-0-26f97bb9a99b@rbox.co>
In-Reply-To: <20260108-vsock-recv-coalescence-v1-0-26f97bb9a99b@rbox.co>
To: "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com>,
 Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
 =?utf-8?q?Eugenio_P=C3=A9rez?= <eperezma@redhat.com>,
 Stefan Hajnoczi <stefanha@redhat.com>,
 Stefano Garzarella <sgarzare@redhat.com>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>,
 Arseniy Krasnov <avkrasnov@salutedevices.com>
Cc: kvm@vger.kernel.org, virtualization@lists.linux.dev,
 netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
 Michal Luczaj <mhal@rbox.co>
X-Mailer: b4 0.14.3

Loopback transport can mangle data in rx queue when a linear skb is
followed by a small MSG_ZEROCOPY packet.

Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
 tools/testing/vsock/vsock_test.c          |  5 +++
 tools/testing/vsock/vsock_test_zerocopy.c | 67 +++++++++++++++++++++++++++=
++++
 tools/testing/vsock/vsock_test_zerocopy.h |  3 ++
 3 files changed, 75 insertions(+)

diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_t=
est.c
index bbe3723babdc..21c8616100f1 100644
--- a/tools/testing/vsock/vsock_test.c
+++ b/tools/testing/vsock/vsock_test.c
@@ -2403,6 +2403,11 @@ static struct test_case test_cases[] =3D {
 		.run_client =3D test_stream_accepted_setsockopt_client,
 		.run_server =3D test_stream_accepted_setsockopt_server,
 	},
+	{
+		.name =3D "SOCK_STREAM MSG_ZEROCOPY coalescence corruption",
+		.run_client =3D test_stream_msgzcopy_mangle_client,
+		.run_server =3D test_stream_msgzcopy_mangle_server,
+	},
 	{},
 };
=20
diff --git a/tools/testing/vsock/vsock_test_zerocopy.c b/tools/testing/vsoc=
k/vsock_test_zerocopy.c
index 9d9a6cb9614a..6735a9d7525d 100644
--- a/tools/testing/vsock/vsock_test_zerocopy.c
+++ b/tools/testing/vsock/vsock_test_zerocopy.c
@@ -9,11 +9,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/ioctl.h>
 #include <sys/mman.h>
 #include <unistd.h>
 #include <poll.h>
 #include <linux/errqueue.h>
 #include <linux/kernel.h>
+#include <linux/sockios.h>
 #include <errno.h>
=20
 #include "control.h"
@@ -356,3 +358,68 @@ void test_stream_msgzcopy_empty_errq_server(const stru=
ct test_opts *opts)
 	control_expectln("DONE");
 	close(fd);
 }
+
+#define GOOD_COPY_LEN	128	/* net/vmw_vsock/virtio_transport_common.c */
+
+void test_stream_msgzcopy_mangle_client(const struct test_opts *opts)
+{
+	char sbuf1[PAGE_SIZE + 1], sbuf2[GOOD_COPY_LEN];
+	struct pollfd fds;
+	int fd;
+
+	fd =3D vsock_stream_connect(opts->peer_cid, opts->peer_port);
+	if (fd < 0) {
+		perror("connect");
+		exit(EXIT_FAILURE);
+	}
+
+	enable_so_zerocopy_check(fd);
+
+	memset(sbuf1, '1', sizeof(sbuf1));
+	memset(sbuf2, '2', sizeof(sbuf2));
+
+	send_buf(fd, sbuf1, sizeof(sbuf1), 0, sizeof(sbuf1));
+	send_buf(fd, sbuf2, sizeof(sbuf2), MSG_ZEROCOPY, sizeof(sbuf2));
+
+	fds.fd =3D fd;
+	fds.events =3D 0;
+
+	if (poll(&fds, 1, -1) !=3D 1 || !(fds.revents & POLLERR)) {
+		perror("poll");
+		exit(EXIT_FAILURE);
+	}
+
+	close(fd);
+}
+
+static void recv_verify(int fd, char *buf, unsigned int len, char pattern)
+{
+	recv_buf(fd, buf, len, 0, len);
+
+	while (len--) {
+		if (*buf++ !=3D pattern) {
+			fprintf(stderr, "Incorrect data received\n");
+			exit(EXIT_FAILURE);
+		}
+	}
+}
+
+void test_stream_msgzcopy_mangle_server(const struct test_opts *opts)
+{
+	char rbuf[PAGE_SIZE + 1];
+	int fd;
+
+	fd =3D vsock_stream_accept(VMADDR_CID_ANY, opts->peer_port, NULL);
+	if (fd < 0) {
+		perror("accept");
+		exit(EXIT_FAILURE);
+	}
+
+	/* Wait, don't race the (buggy) skbs coalescence. */
+	vsock_ioctl_int(fd, SIOCINQ, PAGE_SIZE + 1 + GOOD_COPY_LEN);
+
+	recv_verify(fd, rbuf, PAGE_SIZE + 1, '1');
+	recv_verify(fd, rbuf, GOOD_COPY_LEN, '2');
+
+	close(fd);
+}
diff --git a/tools/testing/vsock/vsock_test_zerocopy.h b/tools/testing/vsoc=
k/vsock_test_zerocopy.h
index 3ef2579e024d..d46c91a69f16 100644
--- a/tools/testing/vsock/vsock_test_zerocopy.h
+++ b/tools/testing/vsock/vsock_test_zerocopy.h
@@ -12,4 +12,7 @@ void test_seqpacket_msgzcopy_server(const struct test_opt=
s *opts);
 void test_stream_msgzcopy_empty_errq_client(const struct test_opts *opts);
 void test_stream_msgzcopy_empty_errq_server(const struct test_opts *opts);
=20
+void test_stream_msgzcopy_mangle_client(const struct test_opts *opts);
+void test_stream_msgzcopy_mangle_server(const struct test_opts *opts);
+
 #endif /* VSOCK_TEST_ZEROCOPY_H */

--=20
2.52.0