From: Pritesh Rodge <rodgepritesh@gmail.com>

The rose_add_node() function uses kmalloc to allocate a new rose_node
but only initializes the first element of the 'neighbour' array. If
the node's count is later incremented, other parts of the kernel may
access the uninitialized pointers in the array.

This was discovered by KMSAN, which reported a crash in
__run_timer_base. When a timer tried to clean up a resource using
one of these garbage pointers.

Fix this by switching from kmalloc() to kzalloc() to ensure the
entire rose_node struct is initialized to zero upon allocation. This
sets all unused neighbour pointers to NULL.

[1] https://syzkaller.appspot.com/bug?extid=7d660d9b8bd5efc7ee6e

Reported-by: syzbot+7d660d9b8bd5efc7ee6e@syzkaller.appspotmail.com
Signed-off-by: Pritesh Rodge <rodgepritesh@gmail.com>
---
 net/rose/rose_route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index a1e9b05ef6f5..6ca41cbe867a 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -148,7 +148,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
 		}
 
 		/* create new node */
-		rose_node = kmalloc(sizeof(*rose_node), GFP_ATOMIC);
+		rose_node = kzalloc(sizeof(*rose_node), GFP_ATOMIC);
 		if (rose_node == NULL) {
 			res = -ENOMEM;
 			goto out;
-- 
2.43.0

On Fri, Sep 12, 2025 at 2:22 PM <rodgepritesh@gmail.com> wrote:
>
> From: Pritesh Rodge <rodgepritesh@gmail.com>
>
> The rose_add_node() function uses kmalloc to allocate a new rose_node
> but only initializes the first element of the 'neighbour' array. If
> the node's count is later incremented, other parts of the kernel may
> access the uninitialized pointers in the array.
>
> This was discovered by KMSAN, which reported a crash in
> __run_timer_base. When a timer tried to clean up a resource using
> one of these garbage pointers.
>
> Fix this by switching from kmalloc() to kzalloc() to ensure the
> entire rose_node struct is initialized to zero upon allocation. This
> sets all unused neighbour pointers to NULL.

Which part exactly of rose node being not initialized would lead to
the syzbot report ?

BUG: KMSAN: uninit-value in __hlist_del include/linux/list.h:980 [inline]
BUG: KMSAN: uninit-value in detach_timer kernel/time/timer.c:891 [inline]
BUG: KMSAN: uninit-value in expire_timers kernel/time/timer.c:1781 [inline]
BUG: KMSAN: uninit-value in __run_timers kernel/time/timer.c:2372 [inline]
BUG: KMSAN: uninit-value in __run_timer_base+0x690/0xd90
kernel/time/timer.c:2384
 __hlist_del include/linux/list.h:980 [inline]
 detach_timer kernel/time/timer.c:891 [inline]
 expire_timers kernel/time/timer.c:1781 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x690/0xd90 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0x3a/0x80 kernel/time/timer.c:2403
 handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]



>
> [1] https://syzkaller.appspot.com/bug?extid=7d660d9b8bd5efc7ee6e
>
> Reported-by: syzbot+7d660d9b8bd5efc7ee6e@syzkaller.appspotmail.com
> Signed-off-by: Pritesh Rodge <rodgepritesh@gmail.com>
> ---
>  net/rose/rose_route.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index a1e9b05ef6f5..6ca41cbe867a 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -148,7 +148,7 @@ static int __must_check rose_add_node(struct rose_route_struct *rose_route,
>                 }
>
>                 /* create new node */
> -               rose_node = kmalloc(sizeof(*rose_node), GFP_ATOMIC);
> +               rose_node = kzalloc(sizeof(*rose_node), GFP_ATOMIC);
>                 if (rose_node == NULL) {
>                         res = -ENOMEM;
>                         goto out;

I doubt this will fix anything really, given this code is followed by :

rose_node->address      = rose_route->address;
rose_node->mask         = rose_route->mask;
rose_node->count        = 1;
rose_node->loopback     = 0;
rose_node->neighbour[0] = rose_neigh;

rose is certainly full of bugs, but I do not see your patch fixing one of them.

ROSE protocole is extensively used for level 2 or level 3 networking 
packet AX25 frames through neighbours and digipeaters stations in order 
to exchange data or messages by radio or Internet links.

nodes and routes are most often managed by FPAC suite of applications.

fpad sets up local nodes and adjacent neighbours using fpac.conf, 
fpac.nodes and fpac.routes configuration files.

Then at any time it is possible to add or delete rose nodes from the 
list of previously defined nodes to help routing and connections using 
ax25tools application rsparms:

# rsparms  -nodes list
2080175520/0010 -> ax0    F6BVP-9
2080175526/0010 -> ax0    F6BVP-11
2080835201/0010 -> ???    RSLOOP-0

# rsparms  -nodes add 2080444501/0 axudp F3KT-11 F6BVP-9

# rsparms  -nodes list
2080175520/0010 -> ax0    F6BVP-9
2080175526/0010 -> ax0    F6BVP-11
2080835201/0010 -> ???    RSLOOP-0
          */0000 -> ax0    F3KT-11   via F6BVP-9

# rsparms  -nodes d 2080444501/0 axudp F3KT-11 F6BVP-9

# rsparms  -nodes list
2080175520/0010 -> ax0    F6BVP-9
2080175526/0010 -> ax0    F6BVP-11
2080835201/0010 -> ???    RSLOOP-0

Up to now no issues have been encountered during add or delete nodes 
process.

Bernard Pidoux, F6BVP / AI7BG

https://github.com/ve7fet/linuxax25