Hi,

https://syzkaller.appspot.com/bug?extid=f77fe03091e5efd9aaf9 looks
like adding a route crashes in LINK_STATE_IS_UP(ifp->if_link_state)
due to ifp == NULL.

In case RTM_RESOLVE there is already an assertion about ifa_ifp !=
NULL.  I would like to move it down after the fallthrough to cover
also RTM_ADD.  This should give a better hint what is going wrong.

Note that this seems to be a single processor kernel, no MP bug.

ok?

bluhm

Index: net/route.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/route.c,v
diff -u -p -r1.439 route.c
--- net/route.c	13 Feb 2025 21:01:34 -0000	1.439
+++ net/route.c	15 Feb 2025 23:13:54 -0000
@@ -985,7 +985,6 @@ rtrequest(int req, struct rt_addrinfo *i
 			return (EINVAL);
 		if ((rt->rt_flags & RTF_CLONING) == 0)
 			return (EINVAL);
-		KASSERT(rt->rt_ifa->ifa_ifp != NULL);
 		info->rti_ifa = rt->rt_ifa;
 		info->rti_flags = rt->rt_flags | (RTF_CLONED|RTF_HOST);
 		info->rti_flags &= ~(RTF_CLONING|RTF_CONNECTED|RTF_STATIC);
@@ -997,6 +996,7 @@ rtrequest(int req, struct rt_addrinfo *i
 	case RTM_ADD:
 		if (info->rti_ifa == NULL)
 			return (EINVAL);
+		KASSERT(info->rti_ifa->ifa_ifp != NULL);
 		ifa = info->rti_ifa;
 		ifp = ifa->ifa_ifp;
 		if (prio == 0)