Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh

From: Kohei Enju
Date: Wed Jun 25 2025 - 01:44:50 EST

Next message: K Prateek Nayak: "Re: [PATCH v3 2/2] x86/smpboot: avoid SMT domain attach/destroy if SMT is not enabled"
Previous message: Shubhrajyoti Datta: "[PATCH] clk: clocking-wizard: Fix the round rate handling for versal"
In reply to: syzbot: "Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
Next in thread: syzbot: "Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test

diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 2dd6bd3a3011..a488fd8c4710 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -479,7 +479,7 @@ void rose_rt_device_down(struct net_device *dev)
{
struct rose_neigh *s, *rose_neigh;
struct rose_node *t, *rose_node;
- int i;
+ int i, j;

spin_lock_bh(&rose_node_list_lock);
spin_lock_bh(&rose_neigh_list_lock);
@@ -497,22 +497,14 @@ void rose_rt_device_down(struct net_device *dev)
t = rose_node;
rose_node = rose_node->next;

- for (i = 0; i < t->count; i++) {
+ for (i = t->count - 1; i >= 0; i--) {
if (t->neighbour[i] != s)
continue;

t->count--;

- switch (i) {
- case 0:
- t->neighbour[0] = t->neighbour[1];
- fallthrough;
- case 1:
- t->neighbour[1] = t->neighbour[2];
- break;
- case 2:
- break;
- }
+ for (j = i; j < t->count; j++)
+ t->neighbour[j] = t->neighbour[j + 1];
}

if (t->count <= 0)

Next message: K Prateek Nayak: "Re: [PATCH v3 2/2] x86/smpboot: avoid SMT domain attach/destroy if SMT is not enabled"
Previous message: Shubhrajyoti Datta: "[PATCH] clk: clocking-wizard: Fix the round rate handling for versal"
In reply to: syzbot: "Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
Next in thread: syzbot: "Re: [syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]