On Wed, Jun 19, 2019 at 01:10:08PM -0600, David Ahern wrote: > On 6/19/19 11:55 AM, Ido Schimmel wrote: > > diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c > > index 1d16a01eccf5..241a0e9a07c3 100644 > > --- a/net/ipv6/ip6_fib.c > > +++ b/net/ipv6/ip6_fib.c > > @@ -393,6 +393,8 @@ int call_fib6_multipath_entry_notifiers(struct net *net, > > .nsiblings = nsiblings, > > }; > > > > + if (!rt) > > + return -EINVAL; > > rt->fib6_table->fib_seq++; > > return call_fib6_notifiers(net, event_type, &info.info); > > } > > The call to call_fib6_multipath_entry_notifiers in > ip6_route_multipath_add happens without rt_notif set because the MPATH > spec is empty?
There is a nexthop in the syzbot reproducer, but its length is shorter than sizeof(struct rtnexthop). > It seems like that check should be done in ip6_route_multipath_add > rather than call_fib6_multipath_entry_notifiers with an extack saying > the reason for the failure. It seemed consistent with ip6_route_mpath_notify(). We can check if rt6_nh_list is empty and send a proper error message. I'll do that tomorrow morning since it's already late here. > My expectation for call_fib6_multipath_entry_notifiers is any errors are > only for offload handlers. (And we need to get extack added to that for > relaying reasons.) We already have extack there...
