On Thu, May 21, 2026 at 02:47:32PM +0200, Stefano Garzarella wrote: > From: Stefano Garzarella <[email protected]> > > On 32-bit architectures, both skb_queue_len() and SKB_TRUESIZE(0) evaluate > to 32-bit values. The multiplication can overflow before being assigned to > the u64 skb_overhead variable, making the skb overhead check ineffective. > > Cast skb_queue_len() to u64 so the multiplication is always performed in > 64-bit arithmetic. > > This issue was reported by Sashiko while reviewing another patch. > > Fixes: 059b7dbd20a6 ("vsock/virtio: fix potential unbounded skb queue") > Closes: > https://sashiko.dev/#/patchset/20260518090656.134588-1-sgarzare%40redhat.com > Cc: [email protected] > Signed-off-by: Stefano Garzarella <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]> > --- > net/vmw_vsock/virtio_transport_common.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/vmw_vsock/virtio_transport_common.c > b/net/vmw_vsock/virtio_transport_common.c > index df3b418e0392..71198bf23fc4 100644 > --- a/net/vmw_vsock/virtio_transport_common.c > +++ b/net/vmw_vsock/virtio_transport_common.c > @@ -417,7 +417,7 @@ static int virtio_transport_send_pkt_info(struct > vsock_sock *vsk, > static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, > u32 len) > { > - u64 skb_overhead = (skb_queue_len(&vvs->rx_queue) + 1) * > SKB_TRUESIZE(0); > + u64 skb_overhead = ((u64)skb_queue_len(&vvs->rx_queue) + 1) * > SKB_TRUESIZE(0); > > /* Allow at most buf_alloc * 2 total budget (payload + overhead), > * similar to how SO_RCVBUF is doubled to reserve space for sk_buff > -- > 2.54.0
