On Sat, 13 Dec 2025 08:37:17 +0900, Jakub Kicinski wrote:

quoted

In zerocopy_fill_skb_from_iter(), if two copy operations are performed
and the first one succeeds while the second one fails, it returns a
failure but the count in iterator has already been decremented due to
the first successful copy. This ultimately affects the local variable
rest_len in virtio_transport_send_pkt_info(), causing the remaining
count in rest_len to be greater than the actual iterator count. As a
result, packet sending operations continue even when the iterator count
is zero, which further leads to skb->len being 0 and triggers the warning
reported by syzbot [1].

Please address the feedback from previous revision and when you repost
use net as the subject tag.

I have added the following explanation in the comments:
Regarding the judgment condition, I aligned it with the condition in
skb_zerocopy_iter_stream().

syzbot reported the issue in the linux-next repository, and I also
tested and created the patch using the linux-next source code repository.
Therefore, I added the subject net-next tag.
If you think adding the net subject tag directly is acceptable, I will
adjust it in the next version of the patch.