From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 May 2026 15:14:45 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7cb632958f1cd1868559abd2a98631ea2a6cf14f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	vsock-fix-buffer-size-clamping-order.patch
---

diff --git a/queue-5.15/series b/queue-5.15/series
index 20b1961b3e..bae98a8b79 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -383,3 +383,4 @@ batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
 batman-adv-bla-only-purge-non-released-claims.patch
 batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
 bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
+vsock-fix-buffer-size-clamping-order.patch
diff --git a/queue-5.15/vsock-fix-buffer-size-clamping-order.patch b/queue-5.15/vsock-fix-buffer-size-clamping-order.patch
new file mode 100644
index 0000000000..62ca59e017
--- /dev/null
+++ b/queue-5.15/vsock-fix-buffer-size-clamping-order.patch
@@ -0,0 +1,50 @@
+From d114bfdc9b76bf93b881e195b7ec957c14227bab Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Thu, 9 Apr 2026 18:34:12 +0200
+Subject: vsock: fix buffer size clamping order
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
+
+In vsock_update_buffer_size(), the buffer size was being clamped to the
+maximum first, and then to the minimum. If a user sets a minimum buffer
+size larger than the maximum, the minimum check overrides the maximum
+check, inverting the constraint.
+
+This breaks the intended socket memory boundaries by allowing the
+vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
+
+Fix this by checking the minimum first, and then the maximum. This
+ensures the buffer size never exceeds the buffer_max_size.
+
+Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1671,12 +1671,12 @@ static void vsock_update_buffer_size(str
+ 				     const struct vsock_transport *transport,
+ 				     u64 val)
+ {
+-	if (val > vsk->buffer_max_size)
+-		val = vsk->buffer_max_size;
+-
+ 	if (val < vsk->buffer_min_size)
+ 		val = vsk->buffer_min_size;
+ 
++	if (val > vsk->buffer_max_size)
++		val = vsk->buffer_max_size;
++
+ 	if (val != vsk->buffer_size &&
+ 	    transport && transport->notify_buffer_size)
+ 		transport->notify_buffer_size(vsk, &val);