From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B75FC3CAE63 for ; Thu, 28 May 2026 11:55:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779969311; cv=none; b=MwZ3NQJD02tqQfmVP9vWoamkqJdrzeSsR2czG7M1HqfmQSY7zAeSzQ0LdodZoYa3M4CjxIw6d/SsYQLsrsY1ssxZc4vT6cER1u9vHKFTE11pj38awNxXvm7tRoUTm58n0tsUYG6rgd191Q5CUEvJ4fBKeADGnrJgyJae6O9qz4k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779969311; c=relaxed/simple; bh=Q5YkEMP6nCttJ/Y7YfNzYaMh1//r1OnBgwUZPfJgOXE=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=Vl7zrsPKv9ZyHLYXHfy3KVVozIJ0H4P4sXqYrf4sdp5J7qQO/SU1KwlLo3HL3q/3k8xpKRDDkipf9WH3kUJ/bNEuyUQ2TDBa1oyygZrZ011bgNmfnQQR4oTDa6IlMRorB7cQ9gx9OMc3BZpMnNzPsZKMauVqJVGJlMYBI6ixQm4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=xg9avnER; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="xg9avnER" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BB2E21F000E9; Thu, 28 May 2026 11:55:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779969310; bh=tKcbMHaX6d16HrzJC/p7R/7JQ37m+w3LEQb3bH4Vc7U=; h=Subject:To:Cc:From:Date; b=xg9avnERvnX+koWiX98sR/uBry/m08bghf+/Dlk6hO0BAXFQt6SdHwQkinXI6rwAL MbACdOdBch0nWyhC3hVlnn7hbff5ZsLoAhWXp9ePePi49BvQZ9b1mNQKBWI1Vkj3yo S+vHmF+6u1w8zE+XDFiPIPRojrPhCwg77pfAkWJk= Subject: FAILED: patch "[PATCH] batman-adv: bla: avoid NULL-ptr deref for claim via dropped" failed to apply to 6.6-stable tree To: sven@narfation.org,idosch@nvidia.com Cc: From: Date: Thu, 28 May 2026 13:54:09 +0200 Message-ID: <2026052809-dropkick-material-0b3e@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 # git commit -s git send-email --to '' --in-reply-to '2026052809-dropkick-material-0b3e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Tue, 19 May 2026 09:23:49 +0200 Subject: [PATCH] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Without rtnl_lock held, a hardif might be retrieved as primary interface of a meshif, but then (while operating on this interface) getting decoupled from the mesh interface. In this case, the meshif still exists but the pointer from the primary hardif to the meshif is set to NULL. The mesh_iface must be checked first to be non-NULL before continuing to send an ARP request using meshif. Cc: stable@kernel.org Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Reported-by: Ido Schimmel Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816 Signed-off-by: Sven Eckelmann diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 1bef12e659cb..ffe854018bd3 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -356,12 +356,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, const u8 *mac, sizeof(local_claim_dest)); local_claim_dest.type = claimtype; - mesh_iface = primary_if->mesh_iface; + mesh_iface = READ_ONCE(primary_if->mesh_iface); + if (!mesh_iface) + goto out; skb = arp_create(ARPOP_REPLY, ETH_P_ARP, /* IP DST: 0.0.0.0 */ zeroip, - primary_if->mesh_iface, + mesh_iface, /* IP SRC: 0.0.0.0 */ zeroip, /* Ethernet DST: Broadcast */