• Wei Wang's avatar
    ipv6: add ip6_null_entry check in rt6_select() · 87b1af8d
    Wei Wang authored
    In rt6_select(), fn->leaf could be pointing to net->ipv6.ip6_null_entry.
    In this case, we should directly return instead of trying to carry on
    with the rest of the process.
    If not, we could crash at:
      spin_lock_bh(&leaf->rt6i_table->rt6_lock);
    because net->ipv6.ip6_null_entry does not have rt6i_table set.
    
    Syzkaller recently reported following issue on net-next:
    Use struct sctp_sack_info instead
    kasan: CONFIG_KASAN_INLINE enabled
    kasan: GPF could be caused by NULL-ptr deref or user memory access
    general protection fault: 0000 [#1] SMP KASAN
    Dumping ftrace buffer:
       (ftrace buffer empty)
    Modules linked in:
    sctp: [Deprecated]: syz-executor4 (pid 26496) Use of struct sctp_assoc_value in delayed_ack socket option.
    Use struct sctp_sack_info instead
    CPU: 1 PID: 26523 Comm: syz-executor6 Not tainted 4.14.0-rc4+ #85
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    task: ffff8801d147e3c0 task.stack: ffff8801a4328000
    RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
    RIP: 0010:do_raw_spin_lock+0x23/0x1e0 kernel/locking/spinlock_debug.c:112
    RSP: 0018:ffff8801a432ed70 EFLAGS: 00010207
    RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000
    RDX: 0000000000000003 RSI: 0000000000000000 RDI: 000000000000001c
    RBP: ffff8801a432ed90 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000000 R11: ffffffff8482b279 R12: ffff8801ce2ff3a0
    sctp: [Deprecated]: syz-executor1 (pid 26546) Use of int in maxseg socket option.
    Use struct sctp_assoc_value instead
    R13: dffffc0000000000 R14: ffff8801d971e000 R15: ffff8801ce2ff0d8
    FS:  00007f56e82f5700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001ddbc22000 CR3: 00000001a4a04000 CR4: 00000000001406e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline]
     _raw_spin_lock_bh+0x39/0x40 kernel/locking/spinlock.c:175
     spin_lock_bh include/linux/spinlock.h:321 [inline]
     rt6_select net/ipv6/route.c:786 [inline]
     ip6_pol_route+0x1be3/0x3bd0 net/ipv6/route.c:1650
    sctp: [Deprecated]: syz-executor1 (pid 26576) Use of int in maxseg socket option.
    Use struct sctp_assoc_value instead
    TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
     ip6_pol_route_output+0x4c/0x60 net/ipv6/route.c:1843
     fib6_rule_lookup+0x9e/0x2a0 net/ipv6/ip6_fib.c:309
     ip6_route_output_flags+0x1f1/0x2b0 net/ipv6/route.c:1871
     ip6_route_output include/net/ip6_route.h:80 [inline]
     ip6_dst_lookup_tail+0x4ea/0x970 net/ipv6/ip6_output.c:953
     ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1076
     sctp_v6_get_dst+0x675/0x1c30 net/sctp/ipv6.c:274
     sctp_transport_route+0xa8/0x430 net/sctp/transport.c:287
     sctp_assoc_add_peer+0x4fe/0x1100 net/sctp/associola.c:656
     __sctp_connect+0x251/0xc80 net/sctp/socket.c:1187
     sctp_connect+0xb4/0xf0 net/sctp/socket.c:4209
     inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:541
     SYSC_connect+0x20a/0x480 net/socket.c:1642
     SyS_connect+0x24/0x30 net/socket.c:1623
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    
    Fixes: 66f5d6ce ("ipv6: replace rwlock with rcu and spinlock in fib6_table")
    Signed-off-by: default avatarWei Wang <weiwan@google.com>
    Acked-by: default avatarEric Dumazet <edumazet@google.com>
    Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    87b1af8d
route.c 118 KB