From c7b14436d1ec8ffe29ef1b31f3182c01b067f582 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 12 Jul 2025 15:49:46 +0200
Subject: [PATCH] 6.12-stable patches

added patches:
	rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
---
 ...existence-of-prealloc-backlog-struct.patch | 44 +++++++++++++++++++
 queue-6.12/series                             |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 queue-6.12/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch

diff --git a/queue-6.12/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch b/queue-6.12/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
new file mode 100644
index 0000000000..f3ccee3aa5
--- /dev/null
+++ b/queue-6.12/rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
@@ -0,0 +1,44 @@
+From 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 8 Jul 2025 22:15:04 +0100
+Subject: rxrpc: Fix oops due to non-existence of prealloc backlog struct
+
+From: David Howells <dhowells@redhat.com>
+
+commit 880a88f318cf1d2a0f4c0a7ff7b07e2062b434a4 upstream.
+
+If an AF_RXRPC service socket is opened and bound, but calls are
+preallocated, then rxrpc_alloc_incoming_call() will oops because the
+rxrpc_backlog struct doesn't get allocated until the first preallocation is
+made.
+
+Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no
+backlog struct.  This will cause the incoming call to be aborted.
+
+Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
+Suggested-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: LePremierHomme <kwqcheii@proton.me>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Willy Tarreau <w@1wt.eu>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+Link: https://patch.msgid.link/20250708211506.2699012-3-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/call_accept.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -254,6 +254,9 @@ static struct rxrpc_call *rxrpc_alloc_in
+ 	unsigned short call_tail, conn_tail, peer_tail;
+ 	unsigned short call_count, conn_count;
+ 
++	if (!b)
++		return NULL;
++
+ 	/* #calls >= #conns >= #peers must hold true. */
+ 	call_head = smp_load_acquire(&b->call_backlog_head);
+ 	call_tail = b->call_backlog_tail;
diff --git a/queue-6.12/series b/queue-6.12/series
index 89765d7478..e53bfd5041 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -45,3 +45,4 @@ atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
 net-ethernet-ti-am65-cpsw-nuss-fix-skb-size-by-accou.patch
 net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
 rxrpc-fix-bug-due-to-prealloc-collision.patch
+rxrpc-fix-oops-due-to-non-existence-of-prealloc-backlog-struct.patch
-- 
2.47.2