From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D861B2F8E97; Sun, 7 Jun 2026 10:26:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780827967; cv=none; b=AUKcwgpO2bn7ySlseFkpYe4q6v6525XkJJjLSaJVZSt4nbbpJXcnyJ1i6KVPo7JQuZv6RZ04wBcSM1TE9vYXvAPLS4D2Cbwg0EACX8lARdljDE5+Ai+tfOka70/9hfh94i56BXfQvbSXFaNHryMSBaykkVqR44q3MsWu8BrpgLc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780827967; c=relaxed/simple; bh=dk9g4zhYpslkM8f49Msw+AUfrRMEoRVa8EJr7yWBwKA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T+20dJCexybWKcrhc6lV9Rbm01hMubctjLlWqwgTxAWjuR9muvJlqMU0V4ZvZzvcj20dS6gmdkjqB/m6zbUNyGMEoWecUDnw72e+EFPZMiWZvPVF5iX2mYLfN180Hyttxnh6XpfHdYIHC6NHNi4uRFTbf5ccSVHwEz+bAlAkdck= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=xESnPWMD; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="xESnPWMD" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC1F61F00893; Sun, 7 Jun 2026 10:26:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780827966; bh=x6GwXTSWSbWh94A/AmT1y8gREembSpk2wdKaRwzDAkc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=xESnPWMDuyoBdJycHzQ9d3SJran02CBy24OgM/9oOg5f0ZObIEuXdIEhph3V6tS4l fnnAE2Uj4JgXeHRg64ZrTZsoxbPfyPjnaUj4M3Jzsu/g1B93z60Tl0A1vW8Lkyfjws 2A0EI5qKbFBymdBfvqttSPGchMJhte1zciQaxnBI= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Ido Schimmel , syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com, Sven Eckelmann , Sasha Levin Subject: [PATCH 6.12 100/307] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Date: Sun, 7 Jun 2026 11:58:17 +0200 Message-ID: <20260607095731.457122382@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260607095727.647295505@linuxfoundation.org> References: <20260607095727.647295505@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sven Eckelmann commit f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 upstream. Without rtnl_lock held, a hardif might be retrieved as primary interface of a meshif, but then (while operating on this interface) getting decoupled from the mesh interface. In this case, the meshif still exists but the pointer from the primary hardif to the meshif is set to NULL. The mesh_iface must be checked first to be non-NULL before continuing to send an ARP request using meshif. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Reported-by: Ido Schimmel Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816 [ switch to old "mesh_iface" name "soft_iface" ] Signed-off-by: Sven Eckelmann Signed-off-by: Sasha Levin --- net/batman-adv/bridge_loop_avoidance.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index e77f3ef3d7336a..17db4191ddb39e 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -356,12 +356,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, const u8 *mac, sizeof(local_claim_dest)); local_claim_dest.type = claimtype; - soft_iface = primary_if->soft_iface; + soft_iface = READ_ONCE(primary_if->soft_iface); + if (!soft_iface) + goto out; skb = arp_create(ARPOP_REPLY, ETH_P_ARP, /* IP DST: 0.0.0.0 */ zeroip, - primary_if->soft_iface, + soft_iface, /* IP SRC: 0.0.0.0 */ zeroip, /* Ethernet DST: Broadcast */ -- 2.53.0