From: Alexander Bluhm <bluhm@openbsd.org>
Subject: Re: syzkaller route ifa ifp assertion
To: tech@openbsd.org
Date: Fri, 21 Feb 2025 18:03:08 +0100

On Sun, Feb 16, 2025 at 12:25:23AM +0100, Alexander Bluhm wrote:
> Hi,
> 
> https://syzkaller.appspot.com/bug?extid=f77fe03091e5efd9aaf9 looks
> like adding a route crashes in LINK_STATE_IS_UP(ifp->if_link_state)
> due to ifp == NULL.
> 
> In case RTM_RESOLVE there is already an assertion about ifa_ifp !=
> NULL.  I would like to move it down after the fallthrough to cover
> also RTM_ADD.  This should give a better hint what is going wrong.
> 
> Note that this seems to be a single processor kernel, no MP bug.
> 
> ok?

anyone?

> bluhm
> 
> Index: net/route.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/route.c,v
> diff -u -p -r1.439 route.c
> --- net/route.c	13 Feb 2025 21:01:34 -0000	1.439
> +++ net/route.c	15 Feb 2025 23:13:54 -0000
> @@ -985,7 +985,6 @@ rtrequest(int req, struct rt_addrinfo *i
>  			return (EINVAL);
>  		if ((rt->rt_flags & RTF_CLONING) == 0)
>  			return (EINVAL);
> -		KASSERT(rt->rt_ifa->ifa_ifp != NULL);
>  		info->rti_ifa = rt->rt_ifa;
>  		info->rti_flags = rt->rt_flags | (RTF_CLONED|RTF_HOST);
>  		info->rti_flags &= ~(RTF_CLONING|RTF_CONNECTED|RTF_STATIC);
> @@ -997,6 +996,7 @@ rtrequest(int req, struct rt_addrinfo *i
>  	case RTM_ADD:
>  		if (info->rti_ifa == NULL)
>  			return (EINVAL);
> +		KASSERT(info->rti_ifa->ifa_ifp != NULL);
>  		ifa = info->rti_ifa;
>  		ifp = ifa->ifa_ifp;
>  		if (prio == 0)