From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com,
Eric Dumazet <edumazet@google.com>,
Takamitsu Iwai <takamitz@amazon.co.jp>,
Kuniyuki Iwashima <kuniyu@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.6 70/75] net: rose: fix a typo in rose_clear_routes()
Date: Tue, 2 Sep 2025 15:21:22 +0200 [thread overview]
Message-ID: <20250902131937.858065169@linuxfoundation.org> (raw)
In-Reply-To: <20250902131935.107897242@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 1cc8a5b534e5f9b5e129e54ee2e63c9f5da4f39a upstream.
syzbot crashed in rose_clear_routes(), after a recent patch typo.
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 UID: 0 PID: 10591 Comm: syz.3.1856 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:rose_clear_routes net/rose/rose_route.c:565 [inline]
RIP: 0010:rose_rt_ioctl+0x162/0x1250 net/rose/rose_route.c:760
<TASK>
rose_ioctl+0x3ce/0x8b0 net/rose/af_rose.c:1381
sock_do_ioctl+0xd9/0x300 net/socket.c:1238
sock_ioctl+0x576/0x790 net/socket.c:1359
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: da9c9c877597 ("net: rose: include node references in rose_neigh refcount")
Reported-by: syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68af3e29.a70a0220.3cafd4.002e.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Takamitsu Iwai <takamitz@amazon.co.jp>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250827172149.5359-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -562,7 +562,7 @@ static int rose_clear_routes(void)
rose_node = rose_node->next;
if (!t->loopback) {
- for (i = 0; i < rose_node->count; i++)
+ for (i = 0; i < t->count; i++)
rose_neigh_put(t->neighbour[i]);
rose_remove_node(t);
}
next prev parent reply other threads:[~2025-09-02 13:39 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:20 [PATCH 6.6 00/75] 6.6.104-rc1 review Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 01/75] of: dynamic: Fix memleak when of_pci_add_properties() failed Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 02/75] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 03/75] mips: dts: lantiq: danube: add missing burst length property Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 04/75] mips: lantiq: xway: sysctrl: rename the etop node Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 05/75] of: Add a helper to free property struct Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 06/75] of: dynamic: Fix use after free in of_changeset_add_prop_helper() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 07/75] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 08/75] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 09/75] smb: client: fix race with concurrent opens in unlink(2) Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 10/75] smb: client: fix race with concurrent opens in rename(2) Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 11/75] ASoC: codecs: tx-macro: correct tx_macro_component_drv name Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 12/75] erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 13/75] ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 14/75] nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 15/75] NFS: Fix a race when updating an existing write Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 16/75] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 17/75] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 18/75] drm/msm: Defer fd_install in SUBMIT ioctl Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 19/75] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 20/75] HID: input: rename hidinput_set_battery_charge_status() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 21/75] HID: input: report battery status changes immediately Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 22/75] Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 23/75] Bluetooth: hci_event: Mark connection as closed during suspend disconnect Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 24/75] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 25/75] Bluetooth: hci_sync: fix set_local_name race condition Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 26/75] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 27/75] drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 28/75] drm/nouveau: remove unused memory target test Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 29/75] ice: Introduce ice_xdp_buff Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 30/75] ice: gather page_count()s of each frag right before XDP prog call Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 31/75] ice: stop storing XDP verdict within ice_rx_buf Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 32/75] ice: fix incorrect counter for buffer allocation failures Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 33/75] dt-bindings: display/msm: qcom,mdp5: drop lut clock Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 34/75] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 35/75] phy: mscc: Fix when PTP clock is register and unregister Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 36/75] net/mlx5: Reload auxiliary drivers on fw_activate Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 37/75] net/mlx5: Add device cap for supporting hot reset in sync reset flow Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 38/75] net/mlx5: Add support for sync reset using hot reset Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 39/75] net/mlx5: Fix lockdep assertion on sync reset unload event Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 40/75] net/mlx5: Call mlx5_sf_id_erase() once in mlx5_sf_dealloc() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 41/75] net/mlx5: Use devlink port pointer to get the pointer of container SF struct Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 42/75] net/mlx5: Convert SF port_indices xarray to function_ids xarray Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 43/75] net/mlx5: Nack sync reset when SFs are present Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 44/75] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 45/75] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 46/75] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.6 47/75] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 48/75] net: stmmac: Rename phylink_get_caps() callback to update_caps() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 49/75] net: stmmac: xgmac: Correct supported speed modes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 50/75] net: stmmac: Set CIC bit only for TX queues with COE Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 51/75] net: rose: split remove and free operations in rose_remove_neigh() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 52/75] net: rose: convert use field to refcount_t Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 53/75] net: rose: include node references in rose_neigh refcount Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 54/75] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 55/75] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 56/75] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 57/75] x86/microcode/AMD: Handle the case of no BIOS microcode Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 58/75] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 59/75] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 60/75] HID: quirks: add support for Legion Go dual dinput modes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 61/75] HID: logitech: Add ids for G PRO 2 LIGHTSPEED Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 62/75] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 63/75] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 64/75] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 65/75] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 66/75] fs/smb: Fix inconsistent refcnt update Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 67/75] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 68/75] smb3 client: fix return code mapping of remap_file_range Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 69/75] drm/nouveau/disp: Always accept linear modifier Greg Kroah-Hartman
2025-09-02 13:21 ` Greg Kroah-Hartman [this message]
2025-09-02 13:21 ` [PATCH 6.6 71/75] net/mlx5: SF, Fix add port error handling Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 72/75] HID: mcp2221: Dont set bus speed on every transfer Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 73/75] HID: mcp2221: Handle reads greater than 60 bytes Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 74/75] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.6 75/75] xfs: do not propagate ENODATA disk errors into xattr code Greg Kroah-Hartman
2025-09-02 16:30 ` 6.6.104-rc1 review Brett A C Sheffield
2025-09-02 18:03 ` [PATCH 6.6 00/75] " Jon Hunter
2025-09-02 19:17 ` Florian Fainelli
2025-09-03 8:28 ` Naresh Kamboju
2025-09-03 9:02 ` Ron Economos
2025-09-03 10:47 ` Mark Brown
2025-09-03 11:51 ` Peter Schneider
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131937.858065169@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+2eb8d1719f7cfcfa6840@syzkaller.appspotmail.com \
--cc=takamitz@amazon.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).