CVE-2022-49450

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix listen() setting the bar too high for the prealloc rings<br /> <br /> AF_RXRPC&amp;#39;s listen() handler lets you set the backlog up to 32 (if you bump<br /> up the sysctl), but whilst the preallocation circular buffers have 32 slots<br /> in them, one of them has to be a dead slot because we&amp;#39;re using CIRC_CNT().<br /> <br /> This means that listen(rxrpc_sock, 32) will cause an oops when the socket<br /> is closed because rxrpc_service_prealloc_one() allocated one too many calls<br /> and rxrpc_discard_prealloc() won&amp;#39;t then be able to get rid of them because<br /> it&amp;#39;ll think the ring is empty. rxrpc_release_calls_on_socket() then tries<br /> to abort them, but oopses because call-&gt;peer isn&amp;#39;t yet set.<br /> <br /> Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match<br /> the ring capacity.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000086<br /> ...<br /> RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]<br /> Call Trace:<br /> <br /> ? __wake_up_common_lock+0x7a/0x90<br /> ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]<br /> ? rxrpc_abort_call+0x4c/0x60 [rxrpc]<br /> rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]<br /> rxrpc_release+0xc9/0x1c0 [rxrpc]<br /> __sock_release+0x37/0xa0<br /> sock_close+0x11/0x20<br /> __fput+0x89/0x240<br /> task_work_run+0x59/0x90<br /> do_exit+0x319/0xaa0