[PATCH net v2] hv_sock: Return -EIO for malformed/short packets

Wed, 22 Apr 2026 23:48:37 -0700 

Commit f63152958994 fixes a regression, however it fails to report an
error for malformed/short packets -- normally we should never see such
packets, but let's report an error for them just in case.

Fixes: f63152958994 ("hv_sock: Report EOF instead of -EIO for FIN")
Cc: [email protected]
Signed-off-by: Dexuan Cui <[email protected]>
---

Commit f63152958994 is currently only in net.git's master branch.

Changes since v1:
    Integrated comments from Stefano Garzarella:

        1) access 'vsk' directly:
           s/hvs->vsk->peer_shutdown/vsk->peer_shutdown/

        2) test the error condition first and return -EIO for that.

    NO other changes.


 net/vmw_vsock/hyperv_transport.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 76e78c83fdbc..f862988c1e86 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -704,17 +704,26 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk)
                if (hvs->recv_desc) {
                        /* Here hvs->recv_data_len is 0, so hvs->recv_desc must
                         * be NULL unless it points to the 0-byte-payload FIN
-                        * packet: see hvs_update_recv_data().
+                        * packet or a malformed/short packet: see
+                        * hvs_update_recv_data().
                         *
-                        * Here all the payload has been dequeued, but
-                        * hvs_channel_readable_payload() still returns 1,
-                        * because the VMBus ringbuffer's read_index is not
-                        * updated for the FIN packet: hvs_stream_dequeue() ->
-                        * hv_pkt_iter_next() updates the cached priv_read_index
-                        * but has no opportunity to update the read_index in
-                        * hv_pkt_iter_close() as hvs_stream_has_data() returns
-                        * 0 for the FIN packet, so it won't get dequeued.
+                        * If hvs->recv_desc points to the FIN packet, here all
+                        * the payload has been dequeued and the peer_shutdown
+                        * flag is set, but hvs_channel_readable_payload() still
+                        * returns 1, because the VMBus ringbuffer's read_index
+                        * is not updated for the FIN packet:
+                        * hvs_stream_dequeue() -> hv_pkt_iter_next() updates
+                        * the cached priv_read_index but has no opportunity to
+                        * update the read_index in hv_pkt_iter_close() as
+                        * hvs_stream_has_data() returns 0 for the FIN packet,
+                        * so it won't get dequeued.
+                        *
+                        * In case hvs->recv_desc points to a malformed/short
+                        * packet, return -EIO.
                         */
+                       if (!(vsk->peer_shutdown & SEND_SHUTDOWN))
+                               return -EIO;
+
                        return 0;
                }
 
-- 
2.49.0

Reply via email to