On 25/05/2026 14:15, malin (R) wrote:
> From 9eea4f61a4dca97f56c23e12267219bf791a20d1 Mon Sep 17 00:00:00 2001
> From: Jingguo Tan <[email protected]>
> Date: Fri, 22 May 2026 19:53:45 +0800
> Subject: [PATCH net] vsock/virtio: bind uarg before filling zerocopy skb
>
> virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
> before entering the send loop, but virtio_transport_alloc_skb() still
> fills the skb before it inherits that uarg. When fixed-buffer vectored
> zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
> managed frags and return -EMSGSIZE. The rollback path calls kfree_skb()
> to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
> skb_release_data() falls through to ordinary frag unref.
>
> Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
> before virtio_transport_fill_skb(). This keeps control or no-payload skbs
> untouched while ensuring success and rollback share one lifetime rule.
>
> Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
> Signed-off-by: Lin Ma <[email protected]>
> Signed-off-by: Rongzhen Cui <[email protected]>
> Signed-off-by: Jingguo Tan <[email protected]>
Acked-by: Arseniy Krasnov <[email protected]>
> ---
>
> net/vmw_vsock/virtio_transport_common.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/net/vmw_vsock/virtio_transport_common.c
> b/net/vmw_vsock/virtio_transport_common.c
> index df3b418e0392..73f58925ff72 100644
> --- a/net/vmw_vsock/virtio_transport_common.c
> +++ b/net/vmw_vsock/virtio_transport_common.c
> @@ -205,6 +205,7 @@ static u16 virtio_transport_get_type(struct sock *sk)
> static struct sk_buff *virtio_transport_alloc_skb(struct
> virtio_vsock_pkt_info *info,
> size_t payload_len,
> bool zcopy,
> + struct ubuf_info *uarg,
> u32 src_cid,
> u32 src_port,
> u32 dst_cid,
> @@ -245,6 +246,11 @@ static struct sk_buff *virtio_transport_alloc_skb(struct
> virtio_vsock_pkt_info *
> if (info->msg && payload_len > 0) {
> int err;
>
> + /* Bind the zerocopy lifetime before filling frags so error
> rollback
> + * frees managed fixed-buffer pages through the uarg-aware path.
> + */
> + skb_zcopy_set(skb, uarg, NULL);
> +
> err = virtio_transport_fill_skb(skb, info, payload_len, zcopy);
> if (err)
> goto out;
> @@ -364,6 +370,7 @@ static int virtio_transport_send_pkt_info(struct
> vsock_sock *vsk,
> skb_len = min(max_skb_len, rest_len);
>
> skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy,
> + uarg,
> src_cid, src_port,
> dst_cid, dst_port);
> if (!skb) {
> @@ -371,8 +378,6 @@ static int virtio_transport_send_pkt_info(struct
> vsock_sock *vsk,
> break;
> }
>
> - skb_zcopy_set(skb, uarg, NULL);
> -
> virtio_transport_inc_tx_pkt(vvs, skb);
>
> ret = t_ops->send_pkt(skb, info->net);
> @@ -1183,7 +1188,7 @@ static int virtio_transport_reset_no_sock(const struct
> virtio_transport *t,
> if (!t)
> return -ENOTCONN;
>
> - reply = virtio_transport_alloc_skb(&info, 0, false,
> + reply = virtio_transport_alloc_skb(&info, 0, false, NULL,
> le64_to_cpu(hdr->dst_cid),
> le32_to_cpu(hdr->dst_port),
> le64_to_cpu(hdr->src_cid),
