Re: [PATCH] vsock/vmci: fix sk_ack_backlog leak on failed handshake

Mon, 01 Jun 2026 02:34:12 -0700 

On 5/26/26 12:43 PM, Raf Dickson wrote:
> When vmci_transport_recv_connecting_server() returns an error,
> vmci_transport_recv_listen() calls vsock_remove_pending() but never
> calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
> permanently.
> 
> Repeated handshake failures (malformed packets, queue pair alloc
> failure, event subscribe failure) cause sk_ack_backlog to climb
> toward sk_max_ack_backlog. Once it reaches the limit the listener
> permanently refuses all new connections with -ECONNREFUSED, a
> silent denial of service requiring a process restart to recover.
> 
> The two existing sk_acceptq_removed() calls in af_vsock.c do not
> cover this path: line 764 checks vsock_is_pending() which returns
> false after vsock_remove_pending(), and line 1889 is only reached
> on successful accept().
> 
> Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
> the error path.
> 
> Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
> Cc: [email protected]
> Signed-off-by: Raf Dickson <[email protected]>

Waiting for Stefano's feedback - should be back in a couple of days.

> ---
>  net/vmw_vsock/vmci_transport.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index d2579380f5..88ccc55455 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(struct sock *sk,
>                       err = -EINVAL;
>               }
>  
> -             if (err < 0)
> +             if (err < 0) {
>                       vsock_remove_pending(sk, pending);
> +                     sk_acceptq_removed(sk);

I'm wondering if sk_acceptq_removed() should be bounded in
vsock_remove_pending() ? (even if that change would probably be net-next
material).

/P



> +             }
>  
>               release_sock(pending);
>               vmci_transport_release_pending(pending);

Reply via email to