From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 15 May 2026 15:15:03 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c78cbecaa2927f453295ac460ced709ed25b9b9b;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	vsock-fix-buffer-size-clamping-order.patch
	vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
---

diff --git a/queue-6.6/series b/queue-6.6/series
index c3b8912dcd..17677e9fb4 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -461,3 +461,5 @@ tracing-probes-limit-size-of-event-probe-to-3k.patch
 usb-dwc3-move-guid-programming-after-phy-initialization.patch
 ceph-only-d_add-negative-dentries-when-they-are-unhashed.patch
 kvm-arm64-wake-up-from-wfi-when-iqrchip-is-in-userspace.patch
+vsock-fix-buffer-size-clamping-order.patch
+vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
diff --git a/queue-6.6/vsock-fix-buffer-size-clamping-order.patch b/queue-6.6/vsock-fix-buffer-size-clamping-order.patch
new file mode 100644
index 0000000000..d383244397
--- /dev/null
+++ b/queue-6.6/vsock-fix-buffer-size-clamping-order.patch
@@ -0,0 +1,50 @@
+From d114bfdc9b76bf93b881e195b7ec957c14227bab Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Thu, 9 Apr 2026 18:34:12 +0200
+Subject: vsock: fix buffer size clamping order
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream.
+
+In vsock_update_buffer_size(), the buffer size was being clamped to the
+maximum first, and then to the minimum. If a user sets a minimum buffer
+size larger than the maximum, the minimum check overrides the maximum
+check, inverting the constraint.
+
+This breaks the intended socket memory boundaries by allowing the
+vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
+
+Fix this by checking the minimum first, and then the maximum. This
+ensures the buffer size never exceeds the buffer_max_size.
+
+Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1728,12 +1728,12 @@ static void vsock_update_buffer_size(str
+ 				     const struct vsock_transport *transport,
+ 				     u64 val)
+ {
+-	if (val > vsk->buffer_max_size)
+-		val = vsk->buffer_max_size;
+-
+ 	if (val < vsk->buffer_min_size)
+ 		val = vsk->buffer_min_size;
+ 
++	if (val > vsk->buffer_max_size)
++		val = vsk->buffer_max_size;
++
+ 	if (val != vsk->buffer_size &&
+ 	    transport && transport->notify_buffer_size)
+ 		transport->notify_buffer_size(vsk, &val);
diff --git a/queue-6.6/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch b/queue-6.6/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
new file mode 100644
index 0000000000..27efd21d2e
--- /dev/null
+++ b/queue-6.6/vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
@@ -0,0 +1,54 @@
+From 52bcb57a4e8a0865a76c587c2451906342ae1b2d Mon Sep 17 00:00:00 2001
+From: Dudu Lu <phx0fer@gmail.com>
+Date: Mon, 13 Apr 2026 21:14:09 +0800
+Subject: vsock/virtio: fix accept queue count leak on transport mismatch
+
+From: Dudu Lu <phx0fer@gmail.com>
+
+commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream.
+
+virtio_transport_recv_listen() calls sk_acceptq_added() before
+vsock_assign_transport(). If vsock_assign_transport() fails or
+selects a different transport, the error path returns without
+calling sk_acceptq_removed(), permanently incrementing
+sk_ack_backlog.
+
+After approximately backlog+1 such failures, sk_acceptq_is_full()
+returns true, causing the listener to reject all new connections.
+
+Fix by moving sk_acceptq_added() to after the transport validation,
+matching the pattern used by vmci_transport and hyperv_transport.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Signed-off-by: Dudu Lu <phx0fer@gmail.com>
+Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://patch.msgid.link/20260413131409.19022-1-phx0fer@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Cc: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1353,8 +1353,6 @@ virtio_transport_recv_listen(struct sock
+ 		return -ENOMEM;
+ 	}
+ 
+-	sk_acceptq_added(sk);
+-
+ 	lock_sock_nested(child, SINGLE_DEPTH_NESTING);
+ 
+ 	child->sk_state = TCP_ESTABLISHED;
+@@ -1376,6 +1374,7 @@ virtio_transport_recv_listen(struct sock
+ 		return ret;
+ 	}
+ 
++	sk_acceptq_added(sk);
+ 	if (virtio_transport_space_update(child, skb))
+ 		child->sk_write_space(child);
+