CVE-2022-49450

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix listen() setting the bar too high for the prealloc rings

AFRXRPC's listen() handler lets you set the backlog up to 32 (if you bump up the sysctl), but whilst the preallocation circular buffers have 32 slots in them, one of them has to be a dead slot because we're using CIRCCNT().

This means that listen(rxrpcsock, 32) will cause an oops when the socket is closed because rxrpcservicepreallocone() allocated one too many calls and rxrpcdiscardprealloc() won't then be able to get rid of them because it'll think the ring is empty. rxrpcreleasecallsonsocket() then tries to abort them, but oopses because call->peer isn't yet set.

Fix this by setting the maximum backlog to RXRPCBACKLOGMAX - 1 to match the ring capacity.

BUG: kernel NULL pointer dereference, address: 0000000000000086 ... RIP: 0010:rxrpcsendabort_packet+0x73/0x240 [rxrpc] Call Trace: <TASK> ? __wakeupcommonlock+0x7a/0x90 ? rxrpcnotifysocket+0x8e/0x140 [rxrpc] ? rxrpcabortcall+0x4c/0x60 [rxrpc] rxrpcreleasecallsonsocket+0x107/0x1a0 [rxrpc] rxrpcrelease+0xc9/0x1c0 [rxrpc] __sockrelease+0x37/0xa0 sockclose+0x11/0x20 _fput+0x89/0x240 taskworkrun+0x59/0x90 doexit+0x319/0xaa0