On 4/28/19 1:22 PM, Eric Dumazet wrote:
> We had many syzbot reports that seem to be caused by use-after-free
> of struct fib6_info.
>
> ip6_dst_destroy(), fib6_drop_pcpu_from() and rt6_remove_exception()
> are writers vs rt->from, and use non consistent synchronization among
> themselves.
>
> Switching to xchg() will solve the issues with no possible
> lockdep issues.
>
...
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Cc: David Ahern <dsah...@gmail.com>
> ---
> net/ipv6/ip6_fib.c | 4 +---
> net/ipv6/route.c | 9 ++-------
> 2 files changed, 3 insertions(+), 10 deletions(-)
>
Reviewed-by: David Ahern <dsah...@gmail.com>
Thanks for the fix, Eric.
