From: Greg Kroah-Hartman Date: Mon, 1 Sep 2025 13:42:28 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v5.4.298~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3babd502b0a5bad7dd2a2bb2ecade292d3696904;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: net-rose-fix-a-typo-in-rose_clear_routes.patch --- diff --git a/queue-6.16/net-rose-fix-a-typo-in-rose_clear_routes.patch b/queue-6.16/net-rose-fix-a-typo-in-rose_clear_routes.patch new file mode 100644 index 0000000000..28d4bf76d1 --- /dev/null +++ b/queue-6.16/net-rose-fix-a-typo-in-rose_clear_routes.patch @@ -0,0 +1,51 @@ +From 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 27 Aug 2025 17:21:49 +0000 +Subject: net: rose: fix a typo in rose_clear_routes() + +From: Eric Dumazet + +commit 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a upstream. + +syzbot crashed in rose_clear_routes(), after a recent patch typo. + +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 0 UID: 0 PID: 10591 Comm: syz.3.1856 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 + RIP: 0010:rose_clear_routes net/rose/rose_route.c:565 [inline] + RIP: 0010:rose_rt_ioctl+0x162/0x1250 net/rose/rose_route.c:760 + + rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1381 + sock_do_ioctl+0xd9/0x300 net/socket.c:1238 + sock_ioctl+0x576/0x790 net/socket.c:1359 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:598 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: da9c9c877597 ("net: rose: include node references in rose_neigh refcount") +Reported-by: syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68af3e29.a70a0220.3cafd4.002e.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Takamitsu Iwai +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250827172149.5359-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/rose_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rose/rose_route.c ++++ b/net/rose/rose_route.c +@@ -562,7 +562,7 @@ static int rose_clear_routes(void) + rose_node = rose_node->next; + + if (!t->loopback) { +- for (i = 0; i < rose_node->count; i++) ++ for (i = 0; i < t->count; i++) + rose_neigh_put(t->neighbour[i]); + rose_remove_node(t); + } diff --git a/queue-6.16/series b/queue-6.16/series index 86537c9c76..9fcec9387a 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -131,3 +131,4 @@ drm-amdgpu-userq-fix-error-handling-of-invalid-doorbell.patch drm-amdgpu-update-firmware-version-checks-for-user-queue-support.patch drm-amdgpu-gfx11-set-mqd-as-appriopriate-for-queue-types.patch drm-amdgpu-gfx12-set-mqd-as-appriopriate-for-queue-types.patch +net-rose-fix-a-typo-in-rose_clear_routes.patch