On Mon, May 25, 2026 at 11:15:12AM +0000, malin (R) wrote: > >From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001 > From: Jingguo Tan <[email protected]> > Date: Fri, 22 May 2026 19:53:45 +0800 > Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb > > virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg > before entering the send loop, but virtio_transport_alloc_skb() still > fills the skb before it inherits that uarg. When fixed-buffer vectored > zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach > managed frags and return -EMSGSIZE. The rollback path calls kfree_skb() > to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so > skb_release_data() falls through to ordinary frag unref. > > Pass the uarg into virtio_transport_alloc_skb() and bind it immediately > before virtio_transport_fill_skb(). This keeps control or no-payload skbs > untouched while ensuring success and rollback share one lifetime rule. > > Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") > Signed-off-by: Lin Ma <[email protected]> > Signed-off-by: Rongzhen Cui <[email protected]> > Signed-off-by: Jingguo Tan <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]> > --- > > net/vmw_vsock/virtio_transport_common.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/net/vmw_vsock/virtio_transport_common.c > b/net/vmw_vsock/virtio_transport_common.c > index df3b418e0392..73f58925ff72 100644 > --- a/net/vmw_vsock/virtio_transport_common.c > +++ b/net/vmw_vsock/virtio_transport_common.c > @@ -205,6 +205,7 @@ static u16 virtio_transport_get_type(struct sock *sk) > static struct sk_buff *virtio_transport_alloc_skb(struct > virtio_vsock_pkt_info *info, > size_t payload_len, > bool zcopy, > + struct ubuf_info *uarg, > u32 src_cid, > u32 src_port, > u32 dst_cid, > @@ -245,6 +246,11 @@ static struct sk_buff *virtio_transport_alloc_skb(struct > virtio_vsock_pkt_info * > if (info->msg && payload_len > 0) { > int err; > > + /* Bind the zerocopy lifetime before filling frags so error > rollback > + * frees managed fixed-buffer pages through the uarg-aware path. > + */ > + skb_zcopy_set(skb, uarg, NULL); > + > err = virtio_transport_fill_skb(skb, info, payload_len, zcopy); > if (err) > goto out; > @@ -364,6 +370,7 @@ static int virtio_transport_send_pkt_info(struct > vsock_sock *vsk, > skb_len = min(max_skb_len, rest_len); > > skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy, > + uarg, > src_cid, src_port, > dst_cid, dst_port); > if (!skb) { > @@ -371,8 +378,6 @@ static int virtio_transport_send_pkt_info(struct > vsock_sock *vsk, > break; > } > > - skb_zcopy_set(skb, uarg, NULL); > - > virtio_transport_inc_tx_pkt(vvs, skb); > > ret = t_ops->send_pkt(skb, info->net); > @@ -1183,7 +1188,7 @@ static int virtio_transport_reset_no_sock(const struct > virtio_transport *t, > if (!t) > return -ENOTCONN; > > - reply = virtio_transport_alloc_skb(&info, 0, false, > + reply = virtio_transport_alloc_skb(&info, 0, false, NULL, > le64_to_cpu(hdr->dst_cid), > le32_to_cpu(hdr->dst_port), > le64_to_cpu(hdr->src_cid), > -- > 2.53.0
