From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751940AbdFUUJD (ORCPT <rfc822;w@1wt.eu>);
        Wed, 21 Jun 2017 16:09:03 -0400
Received: from mail-wr0-f181.google.com ([209.85.128.181]:34476 "EHLO
        mail-wr0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751083AbdFUUJB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Jun 2017 16:09:01 -0400
MIME-Version: 1.0
In-Reply-To: <CAAeHK+xGdXtfTxNE0g71-Ffkvj+6qy4At15WisvBbXMQ4EUqNQ@mail.gmail.com>
References: <CAAeHK+z0TdpY83FiMtHBMChEQgE+0-+8roNFVzM5Uo-duCgpVA@mail.gmail.com>
 <CAAeHK+wuKeG6HhvuP89DNXYE+Okq7HDdJ+OgYGoK+FN-k=w+fA@mail.gmail.com> <CAAeHK+xGdXtfTxNE0g71-Ffkvj+6qy4At15WisvBbXMQ4EUqNQ@mail.gmail.com>
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Wed, 21 Jun 2017 13:08:39 -0700
Message-ID: <CAM_iQpWeWTqBzjj1iju_Vxr5vgr58wRUn-xuSrLqmsd98HpxcQ@mail.gmail.com>
Subject: Re: net/ipv6: GPF in rt6_ifdown
To: Andrey Konovalov <andreyknvl@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        James Morris <jmorris@namei.org>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Patrick McHardy <kaber@trash.net>, netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        David Ahern <dsa@cumulusnetworks.com>,
        Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 21, 2017 at 10:53 AM, Andrey Konovalov
<andreyknvl@google.com> wrote:
> On Wed, Jun 21, 2017 at 3:09 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>
>>> On commit 9705596d08ac87c18aee32cc97f2783b7d14624e (4.12-rc6+).
>>>
>>> It might be related to:
>>> https://groups.google.com/forum/#!topic/syzkaller/ZJaqAiFLe3k
>>>
>>> I only have a reproducer in the form of a syzkaller program, attached
>>> together with my .config.
>>
>> I now have a C reproducer as well, attached.
>
> And here's a much simpler reproducer.

Thanks a lot for your reproducer!

I added a few printk's, and find that we somehow have rt->rt6i_idev set
to NULL but still keep it in the uncached list. ip6_dst_destroy() unlinks
it before NULL'ing, so it should not be that case.