From nobody Mon Feb  9 12:24:09 2026
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B83A447ECFD
	for <linux-kernel@vger.kernel.org>; Wed, 21 Jan 2026 09:36:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768988217; cv=none;
 b=J8yf5pcVcBQLfU8R2w8V6cd+Z92XGCs1EZl39u2tAZXaLMqe9h81FTSRDgQaSdEz6f32FZrrEShQdMuiLJxjlsCo0ofRZvSQGXYTPQZViqtGgZa55OHZaONu6xpmzMK7uHEf/7/O5S8KMQPCQoQlsk71rZBXwM3n7YDDvvccs5E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768988217; c=relaxed/simple;
	bh=iqmFsw95eeMyB4kgugRjX3QYRWWCtwCFA+YNnFmxnAA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=rXOoNqMPYuNLG7T1RYHmU94l9gOMTDfS7sT1cnX3+VYw7wfdOa3BAUJeklSHaX7qsYFrKuyNMNpmzgKtIw6Umi63wIRnlYL1Z1YwHRYRLhm4VEI3j6+JJWFtJdWusfB+gpkYLadwPV13ZuTbFJCyh8anqbhxjT066Vjg8A9xruc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com;
 spf=pass smtp.mailfrom=redhat.com;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=OtY1ZNLQ;
 dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b=FzR05uDB; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="OtY1ZNLQ";
	dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com
 header.b="FzR05uDB"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1768988214;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=oY0QgHfuK6okHlFI9jmjaQHqyNLbsKWPmz3mcrgnNlQ=;
	b=OtY1ZNLQBBEdU30oRTA3LwuHxDedgYfOqsOG7TPpIe7+KcAkoHFUoTdCcTO2hxTY/hOuMd
	iGNX4qInagzOn7o/pKsRf7v8zNgWiU+Hi7K2IsAOacNq5TY6lrkGFUuzxx/+n40/R/kBPB
	y7CRYOALXkjVM9F+hktQAQI91lPLBSc=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-333-kTrKa5A2MDerH6uHphwjlQ-1; Wed, 21 Jan 2026 04:36:53 -0500
X-MC-Unique: kTrKa5A2MDerH6uHphwjlQ-1
X-Mimecast-MFC-AGG-ID: kTrKa5A2MDerH6uHphwjlQ_1768988212
Received: by mail-wm1-f71.google.com with SMTP id
 5b1f17b1804b1-47d62cc05daso45337505e9.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 21 Jan 2026 01:36:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=redhat.com; s=google; t=1768988212; x=1769593012;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oY0QgHfuK6okHlFI9jmjaQHqyNLbsKWPmz3mcrgnNlQ=;
        b=FzR05uDBvIXq1WDhCXg78+pEa4s3hjNWJ2V+XKISAWwz2mczGgP/SRiSxQidAAlQgf
         urh3qqqL5BOYF1eVOOkTsmL5PoTdOWLTulsL/axJKiKO7xrthCgTUsVdYXMTiHlp7W+p
         tLDEyoiJwf3RzKru26+ezctULqO1JyGVNoeKnu+AE0BdCTmFzm3hB3qrZve9Q3qt+cIk
         08KWjMxEUav5ARG7soUu6lsfNVF9guO4NeQuzKosmRTh5IQTcXzq4g7qJCZaSDyDOvwU
         UHX6P7roIm/R7FNHg2OfZW9Lpv8DAC6G3BJb/9E8we/zDwHjl98qAmikOj146+tFzcLB
         1EDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768988212; x=1769593012;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=oY0QgHfuK6okHlFI9jmjaQHqyNLbsKWPmz3mcrgnNlQ=;
        b=j4+9wTrhKrmQi1bhVIzjU/m/pXwdAS3wQt2xaz7O0jEh+7uVdEYrwPi7dwferqA1A6
         QR4FN/BUbrElCA/KHbD0n8Hp7sgHTu/beYLVvHLua8yOoAHA0r2kjmneV9zj0TRrhwTc
         spUe8g4VRsamapi61ne7r0Uuo59dHQFBAVuIiDUk6WsiQX0hXSqDh+ZWDNRzdVRwcZ28
         iGZlb3x/8IIWSmI8GId5QVBoLgYkGs0yXUj19Vf8UEcJ4vZOJnTrEqNAnbSHtVEzu2uv
         MsPjBbFzksMAJrlrhEMIf/E/G2FLQcwAnzSFgKIlhDwFT91SgnJZZ2ScyuncajXdY8xs
         pTmg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWajUURLUJl2qdBs5pajv90PQyH8+rhl8ML2ClMkyr6qBqW7QSm0i533Re5S9f5YOjyP7m1hOicwxMKpfw=@vger.kernel.org
X-Gm-Message-State: AOJu0YzOKG+v80RNDk6JfgM2jizq2A9FxpY9sU6IjWKRdHRr6dETMxg+
	go34G0xcyrjjNHN6yMEqSdgvKvLzEEcahkV9x8we62ggrMvPdjYmd4Mcm9AKAlQNqCWRS6i8B2+
	UWi0PlhO8sknwW3Y/DwA6drl0HBezSx2Hs+yk6RFh7w2taYWegddwGW9ukpbpxkWVrw==
X-Gm-Gg: AZuq6aL3cY+doiGDul38UnU0AxT35Qt214IG3ir/VKTVk1/u+8hKU6K7l2MEBfTZqEC
	WHsVY/DwVaCySEGTOI9Zoo80xDwHZKgG2V4Hp9RycckfLfv/5vnU4ZVaCxoBaW6ekuHIjimRxR+
	MhH8CWROWePT44xAnFRxlUtlGHbI/O/BRel3DuFJi9BRVUeBMovn494Kn56RHK4e1aSRK/FdZOy
	9VKbV9yTY/WpgY1QiEFa0NmEwIOBg8oy4wJUUHm5V+uEFGwqLLuZeSsqu6HYwwYsUyXxUEcbHx/
	XA66LnaELi3tYWvIsoBZEuoD8E7jyCl3yVJ397ZOz6PQoHTauKICssjw1SQeJoMtokqBO36BV//
	LTBjlxw/CsfIuqZ5FepXIC6S6paqjM+7v1slVvw4r8I7nScGW52fuemxr3sdi
X-Received: by 2002:a05:600c:4e05:b0:45d:d97c:236c with SMTP id
 5b1f17b1804b1-480416867d8mr47222045e9.21.1768988212138;
        Wed, 21 Jan 2026 01:36:52 -0800 (PST)
X-Received: by 2002:a05:600c:4e05:b0:45d:d97c:236c with SMTP id
 5b1f17b1804b1-480416867d8mr47221465e9.21.1768988211696;
        Wed, 21 Jan 2026 01:36:51 -0800 (PST)
Received: from stex1.redhat.com (host-82-53-134-58.retail.telecomitalia.it.
 [82.53.134.58])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-4358f12ee69sm11893828f8f.11.2026.01.21.01.36.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Jan 2026 01:36:50 -0800 (PST)
From: Stefano Garzarella <sgarzare@redhat.com>
To: netdev@vger.kernel.org
Cc: Simon Horman <horms@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Arseniy Krasnov <AVKrasnov@sberdevices.ru>,
	"David S. Miller" <davem@davemloft.net>,
	Stefano Garzarella <sgarzare@redhat.com>,
	virtualization@lists.linux.dev,
	Paolo Abeni <pabeni@redhat.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>,
	Jason Wang <jasowang@redhat.com>,
	Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
	=?UTF-8?q?Eugenio=20P=C3=A9rez?= <eperezma@redhat.com>,
	Asias He <asias@redhat.com>,
	Melbin K Mathew <mlbnkm1@gmail.com>
Subject: [PATCH net v6 4/4] vsock/test: add stream TX credit bounds test
Date: Wed, 21 Jan 2026 10:36:28 +0100
Message-ID: <20260121093628.9941-5-sgarzare@redhat.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260121093628.9941-1-sgarzare@redhat.com>
References: <20260121093628.9941-1-sgarzare@redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Melbin K Mathew <mlbnkm1@gmail.com>

Add a regression test for the TX credit bounds fix. The test verifies
that a sender with a small local buffer size cannot queue excessive
data even when the peer advertises a large receive buffer.

The client:
  - Sets a small buffer size (64 KiB)
  - Connects to server (which advertises 2 MiB buffer)
  - Sends in non-blocking mode until EAGAIN
  - Verifies total queued data is bounded

This guards against the original vulnerability where a remote peer
could cause unbounded kernel memory allocation by advertising a large
buffer and reading slowly.

Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Melbin K Mathew <mlbnkm1@gmail.com>
[Stefano: use sock_buf_size to check the bytes sent + small fixes]
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 tools/testing/vsock/vsock_test.c | 101 +++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_t=
est.c
index 668fbe9eb3cc..5bd20ccd9335 100644
--- a/tools/testing/vsock/vsock_test.c
+++ b/tools/testing/vsock/vsock_test.c
@@ -347,6 +347,7 @@ static void test_stream_msg_peek_server(const struct te=
st_opts *opts)
 }
=20
 #define SOCK_BUF_SIZE (2 * 1024 * 1024)
+#define SOCK_BUF_SIZE_SMALL (64 * 1024)
 #define MAX_MSG_PAGES 4
=20
 static void test_seqpacket_msg_bounds_client(const struct test_opts *opts)
@@ -2230,6 +2231,101 @@ static void test_stream_accepted_setsockopt_server(=
const struct test_opts *opts)
 	close(fd);
 }
=20
+static void test_stream_tx_credit_bounds_client(const struct test_opts *op=
ts)
+{
+	unsigned long long sock_buf_size;
+	size_t total =3D 0;
+	char buf[4096];
+	int fd;
+
+	memset(buf, 'A', sizeof(buf));
+
+	fd =3D vsock_stream_connect(opts->peer_cid, opts->peer_port);
+	if (fd < 0) {
+		perror("connect");
+		exit(EXIT_FAILURE);
+	}
+
+	sock_buf_size =3D SOCK_BUF_SIZE_SMALL;
+
+	setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
+			     sock_buf_size,
+			     "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
+
+	setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE,
+			     sock_buf_size,
+			     "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)");
+
+	if (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK) < 0) {
+		perror("fcntl(F_SETFL)");
+		exit(EXIT_FAILURE);
+	}
+
+	control_expectln("SRVREADY");
+
+	for (;;) {
+		ssize_t sent =3D send(fd, buf, sizeof(buf), 0);
+
+		if (sent =3D=3D 0) {
+			fprintf(stderr, "unexpected EOF while sending bytes\n");
+			exit(EXIT_FAILURE);
+		}
+
+		if (sent < 0) {
+			if (errno =3D=3D EINTR)
+				continue;
+
+			if (errno =3D=3D EAGAIN || errno =3D=3D EWOULDBLOCK)
+				break;
+
+			perror("send");
+			exit(EXIT_FAILURE);
+		}
+
+		total +=3D sent;
+	}
+
+	control_writeln("CLIDONE");
+	close(fd);
+
+	/* We should not be able to send more bytes than the value set as
+	 * local buffer size.
+	 */
+	if (total > sock_buf_size) {
+		fprintf(stderr,
+			"TX credit too large: queued %zu bytes (expected <=3D %llu)\n",
+			total, sock_buf_size);
+		exit(EXIT_FAILURE);
+	}
+}
+
+static void test_stream_tx_credit_bounds_server(const struct test_opts *op=
ts)
+{
+	unsigned long long sock_buf_size;
+	int fd;
+
+	fd =3D vsock_stream_accept(VMADDR_CID_ANY, opts->peer_port, NULL);
+	if (fd < 0) {
+		perror("accept");
+		exit(EXIT_FAILURE);
+	}
+
+	sock_buf_size =3D SOCK_BUF_SIZE;
+
+	setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE,
+			     sock_buf_size,
+			     "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)");
+
+	setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE,
+			     sock_buf_size,
+			     "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)");
+
+	control_writeln("SRVREADY");
+	control_expectln("CLIDONE");
+
+	close(fd);
+}
+
 static struct test_case test_cases[] =3D {
 	{
 		.name =3D "SOCK_STREAM connection reset",
@@ -2419,6 +2515,11 @@ static struct test_case test_cases[] =3D {
 		.run_client =3D test_stream_msgzcopy_mangle_client,
 		.run_server =3D test_stream_msgzcopy_mangle_server,
 	},
+	{
+		.name =3D "SOCK_STREAM TX credit bounds",
+		.run_client =3D test_stream_tx_credit_bounds_client,
+		.run_server =3D test_stream_tx_credit_bounds_server,
+	},
 	{},
 };
=20
--=20
2.52.0