5.15-stable patches

added patches:
	vsock-fix-buffer-size-clamping-order.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index 20b1961b3ec3e36667340851ab381880f0f6ff14..bae98a8b799ff865841935bfba0f02243c734409 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -383,3 +383,4 @@ batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
 batman-adv-bla-only-purge-non-released-claims.patch
 batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
 bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
+vsock-fix-buffer-size-clamping-order.patch

diff --git a/queue-5.15/vsock-fix-buffer-size-clamping-order.patch b/queue-5.15/vsock-fix-buffer-size-clamping-order.patch
new file mode 100644 (file)
index 0000000..62ca59e
--- /dev/null
+++ b/queue-5.15/vsock-fix-buffer-size-clamping-order.patch
@@ -0,0 +1,50 @@
+From d114bfdc9b76bf93b881e195b7ec957c14227bab Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Thu, 9 Apr 2026 18:34:12 +0200
+Subject: vsock: fix buffer size clamping order
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
+
+In vsock_update_buffer_size(), the buffer size was being clamped to the
+maximum first, and then to the minimum. If a user sets a minimum buffer
+size larger than the maximum, the minimum check overrides the maximum
+check, inverting the constraint.
+
+This breaks the intended socket memory boundaries by allowing the
+vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
+
+Fix this by checking the minimum first, and then the maximum. This
+ensures the buffer size never exceeds the buffer_max_size.
+
+Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1671,12 +1671,12 @@ static void vsock_update_buffer_size(str
+                                    const struct vsock_transport *transport,
+                                    u64 val)
+ {
+-      if (val > vsk->buffer_max_size)
+-              val = vsk->buffer_max_size;
+-
+       if (val < vsk->buffer_min_size)
+               val = vsk->buffer_min_size;
+ 
++      if (val > vsk->buffer_max_size)
++              val = vsk->buffer_max_size;
++
+       if (val != vsk->buffer_size &&
+           transport && transport->notify_buffer_size)
+               transport->notify_buffer_size(vsk, &val);