On Tue, Mar 09, 2021 at 06:20:35PM -0800, Wei Wang wrote:
> Syzbot reported the suspecious RCU usage in nexthop_fib6_nh() when
> called from ipv6_route_seq_show(). The reason is ipv6_route_seq_start()
> calls rcu_read_lock_bh(), while nexthop_fib6_nh() calls
> rcu_dereference_rtnl().
> The fix proposed is to add a variant of nexthop_fib6_nh() to use
> rcu_dereference_bh_rtnl() for ipv6_route_seq_show().
>
> The reported trace is as follows:
> ./include/net/nexthop.h:416 suspicious rcu_dereference_check() usage!
>
> other info that might help us debug this:
>
> rcu_scheduler_active = 2, debug_locks = 1
> 2 locks held by syz-executor.0/17895:
> at: seq_read+0x71/0x12a0 fs/seq_file.c:169
> at: seq_file_net include/linux/seq_file_net.h:19 [inline]
> at: ipv6_route_seq_start+0xaf/0x300 net/ipv6/ip6_fib.c:2616
[...]
>
> Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info")
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Signed-off-by: Wei Wang <wei...@google.com>
> Cc: David Ahern <dsah...@kernel.org>
> Cc: Ido Schimmel <ido...@idosch.org>
> Cc: Petr Machata <pe...@nvidia.com>
> Cc: Eric Dumazet <eduma...@google.com>
Reviewed-by: Ido Schimmel <ido...@nvidia.com>
