Index | Thread | Search

From:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject:
Re: syzkaller route ifa ifp assertion
To:
Alexander Bluhm <bluhm@openbsd.org>
Cc:
tech@openbsd.org
Date:
Fri, 21 Feb 2025 18:26:48 +0100

Download raw body.

Thread 
On Fri, Feb 21, 2025 at 06:03:08PM +0100, Alexander Bluhm wrote:
> On Sun, Feb 16, 2025 at 12:25:23AM +0100, Alexander Bluhm wrote:
> > Hi,
> > 
> > https://syzkaller.appspot.com/bug?extid=f77fe03091e5efd9aaf9 looks
> > like adding a route crashes in LINK_STATE_IS_UP(ifp->if_link_state)
> > due to ifp == NULL.
> > 
> > In case RTM_RESOLVE there is already an assertion about ifa_ifp !=
> > NULL.  I would like to move it down after the fallthrough to cover
> > also RTM_ADD.  This should give a better hint what is going wrong.
> > 
> > Note that this seems to be a single processor kernel, no MP bug.
> > 
> > ok?
> 
> anyone?
> 
> > bluhm
> > 
> > Index: net/route.c
> > ===================================================================
> > RCS file: /data/mirror/openbsd/cvs/src/sys/net/route.c,v
> > diff -u -p -r1.439 route.c
> > --- net/route.c	13 Feb 2025 21:01:34 -0000	1.439
> > +++ net/route.c	15 Feb 2025 23:13:54 -0000
> > @@ -985,7 +985,6 @@ rtrequest(int req, struct rt_addrinfo *i
> >  			return (EINVAL);
> >  		if ((rt->rt_flags & RTF_CLONING) == 0)
> >  			return (EINVAL);
> > -		KASSERT(rt->rt_ifa->ifa_ifp != NULL);
> >  		info->rti_ifa = rt->rt_ifa;
> >  		info->rti_flags = rt->rt_flags | (RTF_CLONED|RTF_HOST);
> >  		info->rti_flags &= ~(RTF_CLONING|RTF_CONNECTED|RTF_STATIC);
> > @@ -997,6 +996,7 @@ rtrequest(int req, struct rt_addrinfo *i
> >  	case RTM_ADD:
> >  		if (info->rti_ifa == NULL)
> >  			return (EINVAL);
> > +		KASSERT(info->rti_ifa->ifa_ifp != NULL);
> >  		ifa = info->rti_ifa;
> >  		ifp = ifa->ifa_ifp;
> >  		if (prio == 0)
> 

Sure. OK claudio@

-- 
:wq Claudio