From nobody Mon Jun 8 21:46:14 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35F333DD86B for ; Tue, 26 May 2026 10:44:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779792269; cv=none; b=qd7/mIQyh+589i5Pe4A/GSA2wzuMda1T48gnIr0KkPDMHYyvkhuC1vzyIq+pSBYpzdy99h+B1uqGkAkfdUt0OyOVpm10ZRmnch4noYpE0Y2ZzVQVL3myED3npxCjCCYpkNZrv9k5oxsB9wEC8ZViunr3hcGg1KdMDS0O5461BX8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779792269; c=relaxed/simple; bh=mRpirCObCLZqN6l4iv03pml9AZxIqV3ehKRFmi90YGo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TJ8/TeeDlRnMjHNv+rLUqQ7JPV1diMEDY7a4a0owK+9QAjm7QSQdWGxMzyZKBrklDU/aFIpbmVWTwTCRBMCwp/dWU11yHC7kU7e23TPl3n0/RIgyVks3sw4ODcHLKuR8L/rxsXRS7bNqe2W+AQ0FZZTScdJjE77YBpsgXDRf9+o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=reJXFF/c; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="reJXFF/c" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-83d31ac4017so5165620b3a.3 for ; Tue, 26 May 2026 03:44:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779792267; x=1780397067; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PsmUW9tamcq3E3x3Xj8H36QoMdq6sDlAu1sIPsLwdow=; b=reJXFF/c78UJzqnKBd0YF1788g8Aq4MTuEdjHKYodYH8J6siskR9kZmN1tT86MG08t BBk2yttOebGV87gYtvtQcuhcj8dEKDN7Bq/k6/f65h7pXcydDNTUBcguyTfydAcrCqCd QOzS33DpQCzHl5l9k76Q/4SjeSBqMyqOjW/4DbfiAbAmuNXWaEKax7uzJnynUDowOx8B p8b4JFP78Gz/CBk0kd3QJ8YErdgYvP7re2Z7Ffz8w3pZncDRwV2lvIsaOBHpQL/7qkHa zn2OrPEYYAcvpCxUAD2sTG2RpP9r7qzoeLRMX+46XvNIpqymTtRofJbNMJdIKoC2LvBN YpWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779792267; x=1780397067; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PsmUW9tamcq3E3x3Xj8H36QoMdq6sDlAu1sIPsLwdow=; b=bCbVVCU+jWH7iGlHQWik4+oTwxIPjtoUsFmbcHeiVXn+sXoKFGWOMyi2DlLRcZxFQd zhTgxEYbA54aEI0m84Th0wGZKO5x1BVsBbHEY3h7M5YsZxeuMuV7eKTH16Q85mSGcyfQ wYpnHvcFtJXRkks+amUa1zr/N6SmLWPLvdYg8yej1mX5sIlEV2LRSQYxr+djZlQXn2WA o1UkkqoicxENGenRK7gQdhAF2nRq1one5TcP9PQq/HW7b8NLHAMi8edaYkGKUSluQQUd AZTHGag+NLtVndfD9Ur89q4RFh8GRnpq4YWQpfdevP7dWKx9y4mEqEdxtK2/Hj1EOKDZ LmPA== X-Forwarded-Encrypted: i=1; AFNElJ9iuRYSDllAR77oYC/I55rBOFNGGX8DW5J4sr6XCd3iov/woQ3MzRskYhMUFCl4RJWI5IvZNJ8lvU5Nmmw=@vger.kernel.org X-Gm-Message-State: AOJu0YzPYZhwnB4diZKiEMBP/x7TTKsXeVX7/rXiYLlI2vv3eVumU0dj IyPr4MEMYbJNqI2LzXdQZqnTbaYmjneVKc7WDBFsMU7zZ3IhnrgK/R4= X-Gm-Gg: Acq92OFmds+Gx2RfkdMkFVB9X++AVFj3oOBPt80yfFlidN5moIvT/E5OEtBJYpB2PaD xjQvh88Z1OtIs+hxG+76vhuAAwTjSzItci/QwP9VNNzLsRzHbophPMsz5mYXgu/t+BUGDV8qelB x60bx98VtIl+2KEvvYRjX0P/pHdNSFVVzSoN0+ma7DrvcbNRVylrGH1yRDWGw1y6Yj4SBRcMy07 o6U7907UUGOAFG/A3FjuOJd1eVHCo3qNtoMmCmpSUb8ggkC43WnvHgYKbkbjMHcdJIqgshHZxTG Bs4xYEzSlzJGxAEPjtrsMiYRTVJwqba7oaK7ZNForidmHpuoXviGp1x63SLzH67vycZgajJPDVM 6ZzaVgqfUrgnsOEHr1D2dhOmru7fnqg7ZGpNjREMVJADBTiRrx7JpSYJj4tIv23AF2L0pN6yPsZ in04zZmuVo59L94xo9Dtky6aIDRfVRBjvpxdMhMMYckWNwFcAvBzQtAFSQHjb1bek1Voc= X-Received: by 2002:a05:6a00:4c07:b0:82c:6b23:6d10 with SMTP id d2e1a72fcca58-8415f580e58mr17482367b3a.3.1779792267413; Tue, 26 May 2026 03:44:27 -0700 (PDT) Received: from raf.tailb4a862.ts.net ([153.124.163.116]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164affc22sm12235270b3a.21.2026.05.26.03.44.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 May 2026 03:44:26 -0700 (PDT) From: Raf Dickson To: netdev@vger.kernel.org, virtualization@lists.linux.dev, linux-kernel@vger.kernel.org Cc: sgarzare@redhat.com, stefanha@redhat.com, bryan-bt.tan@broadcom.com, vishnu.dasa@broadcom.com, bcm-kernel-feedback-list@broadcom.com, stable@vger.kernel.org, Raf Dickson Subject: [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake Date: Tue, 26 May 2026 10:43:56 +0000 Message-ID: <20260526104356.469928-1-rafdog35@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When vmci_transport_recv_connecting_server() returns an error, vmci_transport_recv_listen() calls vsock_remove_pending() but never calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented permanently. Repeated handshake failures (malformed packets, queue pair alloc failure, event subscribe failure) cause sk_ack_backlog to climb toward sk_max_ack_backlog. Once it reaches the limit the listener permanently refuses all new connections with -ECONNREFUSED, a silent denial of service requiring a process restart to recover. The two existing sk_acceptq_removed() calls in af_vsock.c do not cover this path: line 764 checks vsock_is_pending() which returns false after vsock_remove_pending(), and line 1889 is only reached on successful accept(). Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on the error path. Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Cc: stable@vger.kernel.org Signed-off-by: Raf Dickson Acked-by: Stefano Garzarella --- net/vmw_vsock/vmci_transport.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c index d2579380f5..88ccc55455 100644 --- a/net/vmw_vsock/vmci_transport.c +++ b/net/vmw_vsock/vmci_transport.c @@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(struct sock *sk, err =3D -EINVAL; } =20 - if (err < 0) + if (err < 0) { vsock_remove_pending(sk, pending); + sk_acceptq_removed(sk); + } =20 release_sock(pending); vmci_transport_release_pending(pending); --=20 2.54.0