summaryrefslogtreecommitdiff
path: root/net/rxrpc
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2025-07-10 09:18:53 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2025-07-10 09:18:53 -0700
commitbc9ff192a6c940d9a26e21a0a82f2667067aaf5f (patch)
treea7ccbab8a443ad983eaea6bcf74127d39d24920b /net/rxrpc
parent73d7cf07109e79b093d1a1fb57a88d4048cd9b4b (diff)
parentdd831ac8221e691e9e918585b1003c7071df0379 (diff)
Merge tag 'net-6.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netHEADmaster
Pull networking fixes from Paolo Abeni: "Including fixes from Bluetooth. Current release - regressions: - tcp: refine sk_rcvbuf increase for ooo packets - bluetooth: fix attempting to send HCI_Disconnect to BIS handle - rxrpc: fix over large frame size warning - eth: bcmgenet: initialize u64 stats seq counter Previous releases - regressions: - tcp: correct signedness in skb remaining space calculation - sched: abort __tc_modify_qdisc if parent class does not exist - vsock: fix transport_{g2h,h2g} TOCTOU - rxrpc: fix bug due to prealloc collision - tipc: fix use-after-free in tipc_conn_close(). - bluetooth: fix not marking Broadcast Sink BIS as connected - phy: qca808x: fix WoL issue by utilizing at8031_set_wol() - eth: am65-cpsw-nuss: fix skb size by accounting for skb_shared_info Previous releases - always broken: - netlink: fix wraparounds of sk->sk_rmem_alloc. - atm: fix infinite recursive call of clip_push(). - eth: - stmmac: fix interrupt handling for level-triggered mode in DWC_XGMAC2 - rtsn: fix a null pointer dereference in rtsn_probe()" * tag 'net-6.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (37 commits) net/sched: sch_qfq: Fix null-deref in agg_dequeue rxrpc: Fix oops due to non-existence of prealloc backlog struct rxrpc: Fix bug due to prealloc collision MAINTAINERS: remove myself as netronome maintainer selftests/net: packetdrill: add tcp_ooo-before-and-after-accept.pkt tcp: refine sk_rcvbuf increase for ooo packets net/sched: Abort __tc_modify_qdisc if parent class does not exist net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info net: thunderx: avoid direct MTU assignment after WRITE_ONCE() selftests/tc-testing: Create test case for UAF scenario with DRR/NETEM/BLACKHOLE chain atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atm: clip: Fix infinite recursive call of clip_push(). atm: clip: Fix memory leak of struct clip_vcc. atm: clip: Fix potential null-ptr-deref in to_atmarpd(). net: phy: smsc: Fix link failure in forced mode with Auto-MDIX net: phy: smsc: Force predictable MDI-X state on LAN87xx net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 rxrpc: Fix over large frame size warning net: airoha: Fix an error handling path in airoha_probe() ...
Diffstat (limited to 'net/rxrpc')
-rw-r--r--net/rxrpc/ar-internal.h15
-rw-r--r--net/rxrpc/call_accept.c4
-rw-r--r--net/rxrpc/output.c5
3 files changed, 17 insertions, 7 deletions
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 5bd3922c310d..376e33dce8c1 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -361,12 +361,15 @@ struct rxrpc_local {
struct list_head new_client_calls; /* Newly created client calls need connection */
spinlock_t client_call_lock; /* Lock for ->new_client_calls */
struct sockaddr_rxrpc srx; /* local address */
- /* Provide a kvec table sufficiently large to manage either a DATA
- * packet with a maximum set of jumbo subpackets or a PING ACK padded
- * out to 64K with zeropages for PMTUD.
- */
- struct kvec kvec[1 + RXRPC_MAX_NR_JUMBO > 3 + 16 ?
- 1 + RXRPC_MAX_NR_JUMBO : 3 + 16];
+ union {
+ /* Provide a kvec table sufficiently large to manage either a
+ * DATA packet with a maximum set of jumbo subpackets or a PING
+ * ACK padded out to 64K with zeropages for PMTUD.
+ */
+ struct kvec kvec[1 + RXRPC_MAX_NR_JUMBO > 3 + 16 ?
+ 1 + RXRPC_MAX_NR_JUMBO : 3 + 16];
+ struct bio_vec bvec[3 + 16];
+ };
};
/*
diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
index a4b363b47cca..49fccee1a726 100644
--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -149,6 +149,7 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx,
id_in_use:
write_unlock(&rx->call_lock);
+ rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, -EBADSLT);
rxrpc_cleanup_call(call);
_leave(" = -EBADSLT");
return -EBADSLT;
@@ -254,6 +255,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx,
unsigned short call_tail, conn_tail, peer_tail;
unsigned short call_count, conn_count;
+ if (!b)
+ return NULL;
+
/* #calls >= #conns >= #peers must hold true. */
call_head = smp_load_acquire(&b->call_backlog_head);
call_tail = b->call_backlog_tail;
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 0af19bcdc80a..ef7b3096c95e 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -924,7 +924,7 @@ void rxrpc_send_response(struct rxrpc_connection *conn, struct sk_buff *response
{
struct rxrpc_skb_priv *sp = rxrpc_skb(response);
struct scatterlist sg[16];
- struct bio_vec bvec[16];
+ struct bio_vec *bvec = conn->local->bvec;
struct msghdr msg;
size_t len = sp->resp.len;
__be32 wserial;
@@ -938,6 +938,9 @@ void rxrpc_send_response(struct rxrpc_connection *conn, struct sk_buff *response
if (ret < 0)
goto fail;
nr_sg = ret;
+ ret = -EIO;
+ if (WARN_ON_ONCE(nr_sg > ARRAY_SIZE(conn->local->bvec)))
+ goto fail;
for (int i = 0; i < nr_sg; i++)
bvec_set_page(&bvec[i], sg_page(&sg[i]), sg[i].length, sg[i].offset);