From 54e8fd1596ea6a5ebaa976ef7d8890d18e0791a0 Mon Sep 17 00:00:00 2001 From: Dexuan Cui Date: Thu, 16 Apr 2026 12:14:33 -0700 Subject: [PATCH 1/2] hv_sock: Report EOF instead of -EIO for FIN Commit f0c5827d07cb unluckily causes a regression for the FIN packet, and the final read syscall gets an error rather than 0. Ideally, we would want to fix hvs_channel_readable_payload() so that it could return 0 in the FIN scenario, but it's not good for the hv_sock driver to use the VMBus ringbuffer's cached priv_read_index, which is internal data in the VMBus driver. Fix the regression in hv_sock by returning 0 rather than -EIO. Fixes: f0c5827d07cb ("hv_sock: Return the readable bytes in hvs_stream_has_data()") Cc: stable@vger.kernel.org Reported-by: Ben Hillis Reported-by: Mitchell Levy Signed-off-by: Dexuan Cui Acked-by: Stefano Garzarella Link: https://patch.msgid.link/20260416191433.840637-1-decui@microsoft.com Signed-off-by: Jakub Kicinski As of today (4/21/2026), the patch is in the upstream net.git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f6315295899415f1ddcf39f7c9cb46d25e2c6c6a --- net/vmw_vsock/hyperv_transport.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c index 432fcbbd14d4f..549b53ac3dea0 100644 --- a/net/vmw_vsock/hyperv_transport.c +++ b/net/vmw_vsock/hyperv_transport.c @@ -694,7 +694,6 @@ static ssize_t hvs_stream_enqueue(struct vsock_sock *vsk, struct msghdr *msg, static s64 hvs_stream_has_data(struct vsock_sock *vsk) { struct hvsock *hvs = vsk->trans; - bool need_refill; s64 ret; if (hvs->recv_data_len > 0) @@ -702,9 +701,22 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk) switch (hvs_channel_readable_payload(hvs->chan)) { case 1: - need_refill = !hvs->recv_desc; - if (!need_refill) - return -EIO; + if (hvs->recv_desc) { + /* Here hvs->recv_data_len is 0, so hvs->recv_desc must + * be NULL unless it points to the 0-byte-payload FIN + * packet: see hvs_update_recv_data(). + * + * Here all the payload has been dequeued, but + * hvs_channel_readable_payload() still returns 1, + * because the VMBus ringbuffer's read_index is not + * updated for the FIN packet: hvs_stream_dequeue() -> + * hv_pkt_iter_next() updates the cached priv_read_index + * but has no opportunity to update the read_index in + * hv_pkt_iter_close() as hvs_stream_has_data() returns + * 0 for the FIN packet, so it won't get dequeued. + */ + return 0; + } hvs->recv_desc = hv_pkt_iter_first(hvs->chan); if (!hvs->recv_desc) From a1deac50ff42cf657d04013e934c97124a82818e Mon Sep 17 00:00:00 2001 From: Dexuan Cui Date: Wed, 22 Apr 2026 23:48:11 -0700 Subject: [PATCH 2/2] hv_sock: Return -EIO for malformed/short packets Commit f63152958994 fixes a regression, however it fails to report an error for malformed/short packets -- normally we should never see such packets, but let's report an error for them just in case. Fixes: f63152958994 ("hv_sock: Report EOF instead of -EIO for FIN") Cc: stable@vger.kernel.org Signed-off-by: Dexuan Cui Acked-by: Stefano Garzarella Link: https://patch.msgid.link/20260423064811.1371749-1-decui@microsoft.com Signed-off-by: Jakub Kicinski As of today (4/23/2026), the patch is in the upstream net.git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=3d1f20727a635811f6b77801a7b57b8995268abd --- net/vmw_vsock/hyperv_transport.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c index 549b53ac3dea0..326d9ac651456 100644 --- a/net/vmw_vsock/hyperv_transport.c +++ b/net/vmw_vsock/hyperv_transport.c @@ -704,17 +704,26 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk) if (hvs->recv_desc) { /* Here hvs->recv_data_len is 0, so hvs->recv_desc must * be NULL unless it points to the 0-byte-payload FIN - * packet: see hvs_update_recv_data(). + * packet or a malformed/short packet: see + * hvs_update_recv_data(). * - * Here all the payload has been dequeued, but - * hvs_channel_readable_payload() still returns 1, - * because the VMBus ringbuffer's read_index is not - * updated for the FIN packet: hvs_stream_dequeue() -> - * hv_pkt_iter_next() updates the cached priv_read_index - * but has no opportunity to update the read_index in - * hv_pkt_iter_close() as hvs_stream_has_data() returns - * 0 for the FIN packet, so it won't get dequeued. + * If hvs->recv_desc points to the FIN packet, here all + * the payload has been dequeued and the peer_shutdown + * flag is set, but hvs_channel_readable_payload() still + * returns 1, because the VMBus ringbuffer's read_index + * is not updated for the FIN packet: + * hvs_stream_dequeue() -> hv_pkt_iter_next() updates + * the cached priv_read_index but has no opportunity to + * update the read_index in hv_pkt_iter_close() as + * hvs_stream_has_data() returns 0 for the FIN packet, + * so it won't get dequeued. + * + * In case hvs->recv_desc points to a malformed/short + * packet, return -EIO. */ + if (!(vsk->peer_shutdown & SEND_SHUTDOWN)) + return -EIO; + return 0; }