CVE-2025-71133

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: avoid invalid read in irdmanetevent

irdmanetevent() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENTNEIGHUPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour.

Move the read of neigh->dev under the NETEVENTNEIGHUPDATE case.

The bug is mostly harmless, but it triggers KASAN on debug kernels:

BUG: KASAN: stack-out-of-bounds in irdmanetevent+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554

CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x8664+debug #1 Hardware name: [...] Workqueue: events rt6probedeferred Call Trace: <IRQ> dumpstacklvl+0x60/0xb0 printaddressdescription.constprop.0+0x2c/0x3f0 printreport+0xb4/0x270 kasanreport+0x92/0xc0 irdmanetevent+0x32e/0x3b0 [irdma] notifiercallchain+0x9e/0x180 atomicnotifiercallchain+0x5c/0x110 rt6doredirect+0xb91/0x1080 tcpv6err+0xe9b/0x13e0 icmpv6notify+0x2b2/0x630 ndiscredirectrcv+0x328/0x530 icmpv6rcv+0xc16/0x1360 ip6protocoldeliverrcu+0xb84/0x12e0 ip6inputfinish+0x117/0x240 ip6input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netifreceiveskbonecore+0x118/0x1b0 process_backlog+0xd1/0x5d0 _napipoll.constprop.0+0xa3/0x440 netrxaction+0x78a/0xba0 handlesoftirqs+0x2d4/0x9c0 dosoftirq+0xad/0xe0 </IRQ>