From 9bed1fb5677926a967a97be9349618651330a3c4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Sep 2025 15:43:21 +0200 Subject: [PATCH] 6.1-stable patches added patches: net-rose-fix-a-typo-in-rose_clear_routes.patch --- ...rose-fix-a-typo-in-rose_clear_routes.patch | 51 +++++++++++++++++++ queue-6.1/series | 1 + 2 files changed, 52 insertions(+) create mode 100644 queue-6.1/net-rose-fix-a-typo-in-rose_clear_routes.patch diff --git a/queue-6.1/net-rose-fix-a-typo-in-rose_clear_routes.patch b/queue-6.1/net-rose-fix-a-typo-in-rose_clear_routes.patch new file mode 100644 index 0000000000..28d4bf76d1 --- /dev/null +++ b/queue-6.1/net-rose-fix-a-typo-in-rose_clear_routes.patch @@ -0,0 +1,51 @@ +From 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 27 Aug 2025 17:21:49 +0000 +Subject: net: rose: fix a typo in rose_clear_routes() + +From: Eric Dumazet + +commit 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a upstream. + +syzbot crashed in rose_clear_routes(), after a recent patch typo. + +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 0 UID: 0 PID: 10591 Comm: syz.3.1856 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 + RIP: 0010:rose_clear_routes net/rose/rose_route.c:565 [inline] + RIP: 0010:rose_rt_ioctl+0x162/0x1250 net/rose/rose_route.c:760 + + rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1381 + sock_do_ioctl+0xd9/0x300 net/socket.c:1238 + sock_ioctl+0x576/0x790 net/socket.c:1359 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:598 [inline] + __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: da9c9c877597 ("net: rose: include node references in rose_neigh refcount") +Reported-by: syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/68af3e29.a70a0220.3cafd4.002e.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Takamitsu Iwai +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250827172149.5359-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/rose_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rose/rose_route.c ++++ b/net/rose/rose_route.c +@@ -562,7 +562,7 @@ static int rose_clear_routes(void) + rose_node = rose_node->next; + + if (!t->loopback) { +- for (i = 0; i < rose_node->count; i++) ++ for (i = 0; i < t->count; i++) + rose_neigh_put(t->neighbour[i]); + rose_remove_node(t); + } diff --git a/queue-6.1/series b/queue-6.1/series index d78905d4d8..61ef781ba0 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -43,3 +43,4 @@ fs-smb-fix-inconsistent-refcnt-update.patch net-usb-qmi_wwan-add-telit-cinterion-le910c4-wwx-new-compositions.patch smb3-client-fix-return-code-mapping-of-remap_file_range.patch drm-nouveau-disp-always-accept-linear-modifier.patch +net-rose-fix-a-typo-in-rose_clear_routes.patch -- 2.47.3