From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>, Wei Wang <weiwan@google.com>,
David Ahern <dsahern@kernel.org>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 21/97] ipv6: fix potential NULL deref in fib6_add()
Date: Mon, 11 Dec 2023 19:21:24 +0100 [thread overview]
Message-ID: <20231211182020.682861957@linuxfoundation.org> (raw)
In-Reply-To: <20231211182019.802717483@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 75475bb51e78a3f54ad2f69380f2a1c985e85f2d ]
If fib6_find_prefix() returns NULL, we should silently fallback
using fib6_null_entry regardless of RT6_DEBUG value.
syzbot reported:
WARNING: CPU: 0 PID: 5477 at net/ipv6/ip6_fib.c:1516 fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Modules linked in:
CPU: 0 PID: 5477 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00029-g9b6de136b5f0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Code: 00 48 8b 54 24 68 e8 42 22 00 00 48 85 c0 74 14 49 89 c6 e8 d5 d3 c2 f7 eb 5d e8 ce d3 c2 f7 e9 ca 00 00 00 e8 c4 d3 c2 f7 90 <0f> 0b 90 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 38 80 3c 01 00
RSP: 0018:ffffc90005067740 EFLAGS: 00010293
RAX: ffffffff89cba5bc RBX: ffffc90005067ab0 RCX: ffff88801a2e9dc0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005067980 R08: ffffffff89cbca85 R09: 1ffff110040d4b85
R10: dffffc0000000000 R11: ffffed10040d4b86 R12: 00000000ffffffff
R13: 1ffff110051c3904 R14: ffff8880206a5c00 R15: ffff888028e1c820
FS: 00007f763783c6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f763783bff8 CR3: 000000007f74d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ip6_ins_rt net/ipv6/route.c:1303 [inline]
ip6_route_add+0x88/0x120 net/ipv6/route.c:3847
ipv6_route_ioctl+0x525/0x7b0 net/ipv6/route.c:4467
inet6_ioctl+0x21a/0x270 net/ipv6/af_inet6.c:575
sock_do_ioctl+0x152/0x460 net/socket.c:1220
sock_ioctl+0x615/0x8c0 net/socket.c:1339
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82
Fixes: 7bbfe00e0252 ("ipv6: fix general protection fault in fib6_add()")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Wei Wang <weiwan@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20231129160630.3509216-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_fib.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index c783b91231321..608205c632c8c 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1499,13 +1499,9 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
if (!pn_leaf && !(pn->fn_flags & RTN_RTINFO)) {
pn_leaf = fib6_find_prefix(info->nl_net, table,
pn);
-#if RT6_DEBUG >= 2
- if (!pn_leaf) {
- WARN_ON(!pn_leaf);
+ if (!pn_leaf)
pn_leaf =
info->nl_net->ipv6.fib6_null_entry;
- }
-#endif
fib6_info_hold(pn_leaf);
rcu_assign_pointer(pn->leaf, pn_leaf);
}
--
2.42.0
next prev parent reply other threads:[~2023-12-11 18:37 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-11 18:21 [PATCH 5.10 00/97] 5.10.204-rc1 review Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 01/97] hrtimers: Push pending hrtimers away from outgoing CPU earlier Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 02/97] i2c: designware: Fix corrupted memory seen in the ISR Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 03/97] netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 04/97] tg3: Move the [rt]x_dropped counters to tg3_napi Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 05/97] tg3: Increment tx_dropped in tg3_tso_bug() Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 06/97] kconfig: fix memory leak from range properties Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 07/97] drm/amdgpu: correct chunk_ptr to a pointer to chunk Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 08/97] platform/x86: asus-wmi: Add support for SW_TABLET_MODE on UX360 Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 09/97] platform/x86: asus-nb-wmi: Allow configuring SW_TABLET_MODE method with a module option Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 10/97] platform/x86: asus-nb-wmi: Add tablet_mode_sw=lid-flip quirk for the TP200s Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 11/97] asus-wmi: Add dgpu disable method Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 12/97] platform/x86: asus-wmi: Adjust tablet/lidflip handling to use enum Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 13/97] platform/x86: asus-wmi: Add support for ROG X13 tablet mode Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 14/97] platform/x86: asus-wmi: Simplify tablet-mode-switch probing Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 15/97] platform/x86: asus-wmi: Simplify tablet-mode-switch handling Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 16/97] platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 17/97] of: base: Fix some formatting issues and provide missing descriptions Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 18/97] of: Fix kerneldoc output formatting Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 19/97] of: Add missing Return section in kerneldoc comments Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 20/97] of: dynamic: Fix of_reconfig_get_state_change() return value documentation Greg Kroah-Hartman
2023-12-11 18:21 ` Greg Kroah-Hartman [this message]
2023-12-11 18:21 ` [PATCH 5.10 22/97] octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 23/97] hv_netvsc: rndis_filter needs to select NLS Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 24/97] mlxbf-bootctl: correctly identify secure boot with development keys Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 25/97] net: arcnet: com20020 fix error handling Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 26/97] arcnet: restoring support for multiple Sohard Arcnet cards Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 27/97] i40e: Fix unexpected MFS warning message Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 28/97] net: bnxt: fix a potential use-after-free in bnxt_init_tc Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 29/97] ionic: fix snprintf format length warning Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 30/97] ionic: Fix dim work handling in split interrupt mode Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 31/97] ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 32/97] net: hns: fix fake link up on xge port Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 33/97] netfilter: xt_owner: Fix for unsafe access of sk->sk_socket Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 34/97] tcp: do not accept ACK of bytes we never sent Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 35/97] bpf: sockmap, updating the sg structure should also update curr Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 36/97] tee: optee: Fix supplicant based device enumeration Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 37/97] arm64: dts: rockchip: Expand reg size of vdec node for RK3399 Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 38/97] RDMA/rtrs-clt: Remove the warnings for req in_use check Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 39/97] RDMA/bnxt_re: Correct module description string Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 40/97] hwmon: (acpi_power_meter) Fix 4.29 MW bug Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 41/97] ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 42/97] tracing: Fix a warning when allocating buffered events fails Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 43/97] scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 44/97] ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 45/97] ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 46/97] riscv: fix misaligned access handling of C.SWSP and C.SDSP Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 47/97] ALSA: pcm: fix out-of-bounds in snd_pcm_state_names Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 48/97] ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 49/97] nilfs2: fix missing error check for sb_set_blocksize call Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 50/97] nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 51/97] checkstack: fix printed address Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 52/97] tracing: Always update snapshot buffer size Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 53/97] tracing: Disable snapshot buffer when stopping instance tracers Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 54/97] tracing: Fix incomplete locking when disabling buffered events Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 55/97] tracing: Fix a possible race " Greg Kroah-Hartman
2023-12-11 18:21 ` [PATCH 5.10 56/97] packet: Move reference count in packet_sock to atomic_long_t Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 57/97] arm64: dts: mediatek: mt7622: fix memory node warning check Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 58/97] arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 59/97] arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 60/97] misc: mei: client.c: return negative error code in mei_cl_write Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 61/97] misc: mei: client.c: fix problem of return -EOVERFLOW " Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 62/97] ring-buffer: Force absolute timestamp on discard of event Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 63/97] tracing: Set actual size after ring buffer resize Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 64/97] tracing: Stop current tracer when resizing buffer Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 65/97] perf/core: Add a new read format to get a number of lost samples Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 66/97] perf: Fix perf_event_validate_size() Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 67/97] gpiolib: sysfs: Fix error handling on failed export Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 68/97] drm/amdgpu: correct the amdgpu runtime dereference usage count Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 69/97] usb: gadget: f_hid: fix report descriptor allocation Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 70/97] parport: Add support for Brainboxes IX/UC/PX parallel cards Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 71/97] Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1" Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 72/97] usb: typec: class: fix typec_altmode_put_partner to put plugs Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 73/97] ARM: PL011: Fix DMA support Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 74/97] serial: sc16is7xx: address RX timeout interrupt errata Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 75/97] serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 76/97] serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 77/97] serial: 8250_omap: Add earlycon support for the AM654 UART controller Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 78/97] x86/CPU/AMD: Check vendor in the AMD microcode callback Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 79/97] KVM: s390/mm: Properly reset no-dat Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 80/97] MIPS: Loongson64: Reserve vgabios memory on boot Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 81/97] MIPS: Loongson64: Enable DMA noncoherent support Greg Kroah-Hartman
2023-12-30 19:38 ` Salvatore Bonaccorso
2023-12-30 23:16 ` Jiaxun Yang
2023-12-31 9:33 ` Salvatore Bonaccorso
2024-01-03 10:40 ` Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 82/97] io_uring/af_unix: disable sending io_uring over sockets Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 83/97] netlink: dont call ->netlink_bind with table lock held Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 84/97] genetlink: add CAP_NET_ADMIN test for multicast bind Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 85/97] psample: Require CAP_NET_ADMIN when joining "packets" group Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 86/97] drop_monitor: Require CAP_SYS_ADMIN when joining "events" group Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 87/97] netfilter: nft_set_pipapo: skip inactive elements during set walk Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 88/97] platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 89/97] tools headers UAPI: Sync linux/perf_event.h with the kernel sources Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 90/97] platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 91/97] mmc: block: Be sure to wait while busy in CQE error recovery Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 92/97] Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem" Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 93/97] cifs: Fix non-availability of dedup breaking generic/304 Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 94/97] smb: client: fix potential NULL deref in parse_dfs_referrals() Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 95/97] devcoredump : Serialize devcd_del work Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 96/97] devcoredump: Send uevent once devcd is ready Greg Kroah-Hartman
2023-12-11 18:22 ` [PATCH 5.10 97/97] r8169: fix rtl8125b PAUSE frames blasting when suspended Greg Kroah-Hartman
2023-12-11 19:17 ` [PATCH 5.10 00/97] 5.10.204-rc1 review Florian Fainelli
2023-12-12 16:29 ` Naresh Kamboju
2023-12-12 17:01 ` Guenter Roeck
2023-12-12 19:08 ` Pavel Machek
2023-12-12 22:20 ` Jon Hunter
2023-12-13 3:43 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231211182020.682861957@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=weiwan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.