Commit 3a3e3d90 authored May 08, 2026 by Stefano Garzarella Committed by Paolo Abeni May 12, 2026

vsock/virtio: fix empty payload in tap skb for non-linear buffers



For non-linear skbs, virtio_transport_build_skb() goes through
virtio_transport_copy_nonlinear_skb() to copy the original payload
in the new skb to be delivered to the vsockmon tap device.
This manually initializes an iov_iter but does not set iov_iter.count.
Since the iov_iter is zero-initialized, the copy length is zero and no
payload is actually copied to the monitor interface, leaving data
un-initialized.

Fix this by removing the linear vs non-linear split and using
skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as
vhost-vsock already does. This handles both linear and non-linear skbs,
properly initializes the iov_iter, and removes the now unused
virtio_transport_copy_nonlinear_skb().

While touching this code, let's also check the return value of
skb_copy_datagram_iter(), even though it's unlikely to fail.

Fixes: 4b0bf10e ("vsock/virtio: non-linear skb handling for tap")
Reported-by: Yiqi Sun <sunyiqixm@gmail.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Reviewed-by: Arseniy Krasnov <avkrasnov@rulkc.org>
Link: https://patch.msgid.link/20260508164411.261440-3-sgarzare@redhat.com


Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 5f344d80

net/vmw_vsock/virtio_transport_common.c

+12 −28

Original line number	Diff line number	Diff line
		@@ -136,27 +136,6 @@ static void virtio_transport_init_hdr(struct sk_buff *skb,
		hdr->fwd_cnt = cpu_to_le32(0);
		}

		static void virtio_transport_copy_nonlinear_skb(const struct sk_buff *skb,
		void *dst,
		size_t len)
		{
		struct iov_iter iov_iter = { 0 };
		struct kvec kvec;
		size_t to_copy;

		kvec.iov_base = dst;
		kvec.iov_len = len;

		iov_iter.iter_type = ITER_KVEC;
		iov_iter.kvec = &kvec;
		iov_iter.nr_segs = 1;

		to_copy = min_t(size_t, len, skb->len);

		skb_copy_datagram_iter(skb, VIRTIO_VSOCK_SKB_CB(skb)->offset,
		&iov_iter, to_copy);
		}

		/* Packet capture */
		static struct sk_buff virtio_transport_build_skb(void opaque)
		{
		@@ -214,13 +193,18 @@ static struct sk_buff virtio_transport_build_skb(void opaque)
		skb_put_data(skb, pkt_hdr, sizeof(*pkt_hdr));

		if (payload_len) {
		if (skb_is_nonlinear(pkt)) {
		struct iov_iter iov_iter;
		struct kvec kvec;
		void *data = skb_put(skb, payload_len);

		virtio_transport_copy_nonlinear_skb(pkt, data, payload_len);
		} else {
		skb_put_data(skb, pkt->data + VIRTIO_VSOCK_SKB_CB(pkt)->offset,
		payload_len);
		kvec.iov_base = data;
		kvec.iov_len = payload_len;
		iov_iter_kvec(&iov_iter, ITER_DEST, &kvec, 1, payload_len);

		if (skb_copy_datagram_iter(pkt, VIRTIO_VSOCK_SKB_CB(pkt)->offset,
		&iov_iter, payload_len)) {
		kfree_skb(skb);
		return NULL;
		}
		}