Re: [PATCH v3 net] vsock: fix buffer size clamping order

Next message: Kiryl Shutsemau (Meta): "[RFC, PATCH 08/12] userfaultfd: enable UFFD_FEATURE_MINOR_ANON"
Previous message: Miklos Szeredi: "Re: [PATCH V10 00/10] famfs: port into fuse"
In reply to: patchwork-bot+netdevbpf: "Re: [PATCH v3 net] vsock: fix buffer size clamping order"
Next in thread: Stefano Garzarella: "Re: [PATCH v3 net] vsock: fix buffer size clamping order"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Luczaj

Date: Tue Apr 14 2026 - 10:26:11 EST

On 4/9/26 18:34, Norbert Szetei wrote:
> In vsock_update_buffer_size(), the buffer size was being clamped to the
> maximum first, and then to the minimum. If a user sets a minimum buffer
> size larger than the maximum, the minimum check overrides the maximum
> check, inverting the constraint.
>
> This breaks the intended socket memory boundaries by allowing the
> vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.
>
> Fix this by checking the minimum first, and then the maximum. This
> ensures the buffer size never exceeds the buffer_max_size.

Something may be missing. After adding another ioctl to your reproducer, I
still see crashes.

SYSCHK(setsockopt(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MIN_SIZE, &min,
sizeof(min)));
+ SYSCHK(setsockopt(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE, &min,
+ sizeof(min)));
}

[*] Setting buffer_min_size to 0x400000000.
[socket][0] sending...

refcount_t: saturated; leaking memory.
WARNING: lib/refcount.c:22 at refcount_warn_saturate+0x7d/0xb0, CPU#2:
a.out/1478
...
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x50/0xb0, CPU#12:
kworker/12:0/80
Workqueue: vsock-loopback vsock_loopback_work
...