CVE-2026-23086

In the Linux kernel, the following vulnerability has been resolved:

vsock/virtio: cap TX credit to local buffer size

The virtio transports derives its TX credit directly from peerbufalloc, which is set from the remote endpoint's SOVMSOCKETSBUFFERSIZE value.

On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base.

Introduce a small helper, virtiotransporttxbufsize(), that returns min(peerbufalloc, bufalloc), and use it wherever we consume peerbuf_alloc.

This ensures the effective TX window is bounded by both the peer's advertised buffer and our own bufalloc (already clamped to buffermaxsize via SOVMSOCKETSBUFFERMAXSIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings.

On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited.

With this patch applied:

Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB

After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB

Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive.

Compatibility with non-virtio transports:

• VMCI uses the AFVSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer* values; the remote side cannot enlarge those queues beyond what the local endpoint configured.

• Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peerbufalloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes.

• The loopback path reuses virtiotransportcommon.c, so it naturally follows the same semantics as the virtio transport.

This change is limited to virtiotransportcommon.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have.

[Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message]