On 6/19/19 1:40 PM, Ido Schimmel wrote:
> On Wed, Jun 19, 2019 at 01:10:08PM -0600, David Ahern wrote:
>> On 6/19/19 11:55 AM, Ido Schimmel wrote:
>>> diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
>>> index 1d16a01eccf5..241a0e9a07c3 100644
>>> --- a/net/ipv6/ip6_fib.c
>>> +++ b/net/ipv6/ip6_fib.c
>>> @@ -393,6 +393,8 @@ int call_fib6_multipath_entry_notifiers(struct net *net,
>>> .nsiblings = nsiblings,
>>> };
>>>
>>> + if (!rt)
>>> + return -EINVAL;
>>> rt->fib6_table->fib_seq++;
>>> return call_fib6_notifiers(net, event_type, &info.info);
>>> }
>>
>> The call to call_fib6_multipath_entry_notifiers in
>> ip6_route_multipath_add happens without rt_notif set because the MPATH
>> spec is empty?
>
> There is a nexthop in the syzbot reproducer, but its length is shorter
> than sizeof(struct rtnexthop).
hmmm... I would expect that to be caught by the 'while (rtnh_ok(rtnh,
remaining)) {}' loop.
For the loop 'list_for_each_entry(nh, &rt6_nh_list, next) {}' if the
list is empty then yes, rt_notif is null which should be caught and
handled with EINVAL/extack. If there is at least 1 entry in the list,
rt_notif is set (success adding to fib) or it jumps over the notifier to
add_errout.
>
>> It seems like that check should be done in ip6_route_multipath_add
>> rather than call_fib6_multipath_entry_notifiers with an extack saying
>> the reason for the failure.
>
> It seemed consistent with ip6_route_mpath_notify(). We can check if
> rt6_nh_list is empty and send a proper error message. I'll do that
> tomorrow morning since it's already late here.
>
ok.
