In the Linux kernel, the following vulnerability has been resolved:
ipmr: do not call mrmfcuses_dev() for unres entries
syzbot found that calling mrmfcusesdev() for unres entries would crash [1], because c->mfcun.res.minvif / c->mfcun.res.maxvif alias to "struct skbuff_head unresolved", which contain two pointers.
This code never worked, lets remove it.
[1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mrmfcusesdev net/ipv4/ipmrbase.c:290 [inline] pc : mrtabledump+0x5a4/0x8b0 net/ipv4/ipmrbase.c:334 lr : mrmfcusesdev net/ipv4/ipmrbase.c:289 [inline] lr : mrtabledump+0x694/0x8b0 net/ipv4/ipmrbase.c:334 Call trace: mrmfcusesdev net/ipv4/ipmrbase.c:290 [inline] (P) mrtabledump+0x5a4/0x8b0 net/ipv4/ipmrbase.c:334 (P) mrrtmdumproute+0x254/0x454 net/ipv4/ipmrbase.c:382 ipmrrtmdumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnldumpall+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnldumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlinkdump+0x4f0/0xbc0 net/netlink/afnetlink.c:2317 netlinkrecvmsg+0x56c/0xe64 net/netlink/afnetlink.c:1973 sockrecvmsgnosec net/socket.c:1033 [inline] sockrecvmsg net/socket.c:1055 [inline] sockreaditer+0x2d8/0x40c net/socket.c:1125 newsyncread fs/readwrite.c:484 [inline] vfsread+0x740/0x970 fs/readwrite.c:565 ksysread+0x15c/0x26c fs/read_write.c:708