Message ID | CAM_iQpWFnNyk=KfFyDnYOe9iXqgTJWCysx2YMLg19ufbYGdG4g@mail.gmail.com |
---|---|
State | RFC, archived |
Delegated to: | David Miller |
Headers | show |
On 2/27/17 10:11 AM, Cong Wang wrote: > The attached patch fixes this crash, but I am not sure if it is the > best way to fix this bug yet... I'll take a look. I can not reproduce this using route or ip, so the fuzzer is doing something interesting.
On Mon, Feb 27, 2017 at 8:59 PM, David Ahern <dsa@cumulusnetworks.com> wrote: > On 2/27/17 10:11 AM, Cong Wang wrote: >> The attached patch fixes this crash, but I am not sure if it is the >> best way to fix this bug yet... > > I'll take a look. I can not reproduce this using route or ip, so the > fuzzer is doing something interesting. Hi David, I've attached a simple reproducer to the report, it doesn't work for you? Thanks!
On Mon, Feb 27, 2017 at 12:05 PM, Andrey Konovalov <andreyknvl@google.com> wrote: > On Mon, Feb 27, 2017 at 8:59 PM, David Ahern <dsa@cumulusnetworks.com> wrote: >> On 2/27/17 10:11 AM, Cong Wang wrote: >>> The attached patch fixes this crash, but I am not sure if it is the >>> best way to fix this bug yet... >> >> I'll take a look. I can not reproduce this using route or ip, so the >> fuzzer is doing something interesting. > > Hi David, > > I've attached a simple reproducer to the report, it doesn't work for you? It works for me and I have verified the formal patch I sent.
On Mon, Feb 27, 2017 at 9:34 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote: > On Mon, Feb 27, 2017 at 12:05 PM, Andrey Konovalov > <andreyknvl@google.com> wrote: >> On Mon, Feb 27, 2017 at 8:59 PM, David Ahern <dsa@cumulusnetworks.com> wrote: >>> On 2/27/17 10:11 AM, Cong Wang wrote: >>>> The attached patch fixes this crash, but I am not sure if it is the >>>> best way to fix this bug yet... >>> >>> I'll take a look. I can not reproduce this using route or ip, so the >>> fuzzer is doing something interesting. >> >> Hi David, >> >> I've attached a simple reproducer to the report, it doesn't work for you? > > It works for me and I have verified the formal patch I sent. Hi Cong, That's what I thought when I read your message, thanks! I was just confused by David saying that the fuzzer is doing something interesting, when the reproducer is just an ioctl call on a socket. > > -- > You received this message because you are subscribed to the Google Groups "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.
On 2/27/17 12:37 PM, Andrey Konovalov wrote: > That's what I thought when I read your message, thanks! > > I was just confused by David saying that the fuzzer is doing something > interesting, when the reproducer is just an ioctl call on a socket. It means I have a cold, recently off a plane and not processing what I was reading. The interesting part was intent to delete the null route, but then Cong mentioned that in his commit message.
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index f54f426..3d1b260 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2216,12 +2216,13 @@ static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg) static int ip6_route_del(struct fib6_config *cfg) { + struct net *net = cfg->fc_nlinfo.nl_net; struct fib6_table *table; struct fib6_node *fn; struct rt6_info *rt; int err = -ESRCH; - table = fib6_get_table(cfg->fc_nlinfo.nl_net, cfg->fc_table); + table = fib6_get_table(net, cfg->fc_table); if (!table) return err; @@ -2247,6 +2248,8 @@ static int ip6_route_del(struct fib6_config *cfg) continue; if (cfg->fc_protocol && cfg->fc_protocol != rt->rt6i_protocol) continue; + if (rt == net->ipv6.ip6_null_entry) + continue; dst_hold(&rt->dst); read_unlock_bh(&table->tb6_lock);