Commit b0818f80 authored by Mahesh Bandewar's avatar Mahesh Bandewar Committed by David S. Miller

blackhole_netdev: fix syzkaller reported issue

While invalidating the dst, we assign backhole_netdev instead of
loopback device. However, this device does not have idev pointer
and hence no ip6_ptr even if IPv6 is enabled. Possibly this has
triggered the syzbot reported crash.

The syzbot report does not have reproducer, however, this is the
only device that doesn't have matching idev created.

Crash instruction is :

static inline bool ip6_ignore_linkdown(const struct net_device *dev)
{
        const struct inet6_dev *idev = __in6_dev_get(dev);

        return !!idev->cnf.ignore_routes_with_linkdown; <= crash
}

Also ipv6 always assumes presence of idev and never checks for it
being NULL (as does the above referenced code). So adding a idev
for the blackhole_netdev to avoid this class of crashes in the future.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9cb0aec9
...@@ -6996,7 +6996,7 @@ static struct rtnl_af_ops inet6_ops __read_mostly = { ...@@ -6996,7 +6996,7 @@ static struct rtnl_af_ops inet6_ops __read_mostly = {
int __init addrconf_init(void) int __init addrconf_init(void)
{ {
struct inet6_dev *idev; struct inet6_dev *idev, *bdev;
int i, err; int i, err;
err = ipv6_addr_label_init(); err = ipv6_addr_label_init();
...@@ -7036,10 +7036,14 @@ int __init addrconf_init(void) ...@@ -7036,10 +7036,14 @@ int __init addrconf_init(void)
*/ */
rtnl_lock(); rtnl_lock();
idev = ipv6_add_dev(init_net.loopback_dev); idev = ipv6_add_dev(init_net.loopback_dev);
bdev = ipv6_add_dev(blackhole_netdev);
rtnl_unlock(); rtnl_unlock();
if (IS_ERR(idev)) { if (IS_ERR(idev)) {
err = PTR_ERR(idev); err = PTR_ERR(idev);
goto errlo; goto errlo;
} else if (IS_ERR(bdev)) {
err = PTR_ERR(bdev);
goto errlo;
} }
ip6_route_init_special_entries(); ip6_route_init_special_entries();
...@@ -7124,6 +7128,7 @@ void addrconf_cleanup(void) ...@@ -7124,6 +7128,7 @@ void addrconf_cleanup(void)
addrconf_ifdown(dev, 1); addrconf_ifdown(dev, 1);
} }
addrconf_ifdown(init_net.loopback_dev, 2); addrconf_ifdown(init_net.loopback_dev, 2);
addrconf_ifdown(blackhole_netdev, 2);
/* /*
* Check hash table. * Check hash table.
......
...@@ -155,10 +155,9 @@ void rt6_uncached_list_del(struct rt6_info *rt) ...@@ -155,10 +155,9 @@ void rt6_uncached_list_del(struct rt6_info *rt)
static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev) static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev)
{ {
struct net_device *loopback_dev = net->loopback_dev;
int cpu; int cpu;
if (dev == loopback_dev) if (dev == net->loopback_dev)
return; return;
for_each_possible_cpu(cpu) { for_each_possible_cpu(cpu) {
...@@ -171,7 +170,7 @@ static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev) ...@@ -171,7 +170,7 @@ static void rt6_uncached_list_flush_dev(struct net *net, struct net_device *dev)
struct net_device *rt_dev = rt->dst.dev; struct net_device *rt_dev = rt->dst.dev;
if (rt_idev->dev == dev) { if (rt_idev->dev == dev) {
rt->rt6i_idev = in6_dev_get(loopback_dev); rt->rt6i_idev = in6_dev_get(blackhole_netdev);
in6_dev_put(rt_idev); in6_dev_put(rt_idev);
} }
...@@ -386,13 +385,11 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, ...@@ -386,13 +385,11 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
{ {
struct rt6_info *rt = (struct rt6_info *)dst; struct rt6_info *rt = (struct rt6_info *)dst;
struct inet6_dev *idev = rt->rt6i_idev; struct inet6_dev *idev = rt->rt6i_idev;
struct net_device *loopback_dev =
dev_net(dev)->loopback_dev;
if (idev && idev->dev != loopback_dev) { if (idev && idev->dev != dev_net(dev)->loopback_dev) {
struct inet6_dev *loopback_idev = in6_dev_get(loopback_dev); struct inet6_dev *ibdev = in6_dev_get(blackhole_netdev);
if (loopback_idev) { if (ibdev) {
rt->rt6i_idev = loopback_idev; rt->rt6i_idev = ibdev;
in6_dev_put(idev); in6_dev_put(idev);
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment