subject:"\[PATCH net\] ipv6\: reset fn\->rr_ptr when replacing route"

Re: [PATCH net] ipv6: reset fn->rr_ptr when replacing route

2017-08-18 Thread David Miller

From: Wei Wang Date: Wed, 16 Aug 2017 11:18:09 -0700 > From: Wei Wang > > syzcaller reported the following use-after-free issue in rt6_select(): ... > The root cause of it is that in fib6_add_rt2node(), when it replaces an > existing route with the new one, it does not update fn->rr_ptr. > Thi

[PATCH net] ipv6: reset fn->rr_ptr when replacing route

2017-08-16 Thread Wei Wang

From: Wei Wang syzcaller reported the following use-after-free issue in rt6_select(): BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr 8800bc6994e8 BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr 8800bc6994e8