From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] net/ipv6: prevent use after free in
 ip6_route_mpath_notify
Date: Tue, 05 Jun 2018 09:57:03 -0400 (EDT)
Message-ID: <20180605.095703.1475527736109371832.davem@davemloft.net>
References: <20180604204142.8941-1-dsahern@kernel.org>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, dsahern@gmail.com, edumazet@google.com
To: dsahern@kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:36268 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752031AbeFEN5F (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 5 Jun 2018 09:57:05 -0400
In-Reply-To: <20180604204142.8941-1-dsahern@kernel.org>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: dsahern@kernel.org
Date: Mon,  4 Jun 2018 13:41:42 -0700

> From: David Ahern <dsahern@gmail.com>
> 
> syzbot reported a use-after-free:
 ...
> The problem is that rt_last can point to a deleted route if the insert
> fails.
> 
> One reproducer is to insert a route and then add a multipath route that
> has a duplicate nexthop.e.g,:
>     $ ip -6 ro add vrf red 2001:db8:101::/64 nexthop via 2001:db8:1::2
>     $ ip -6 ro append vrf red 2001:db8:101::/64 nexthop via 2001:db8:1::4 nexthop via 2001:db8:1::2
> 
> Fix by not setting rt_last until the it is verified the insert succeeded.
> 
> Fixes: 3b1137fe7482 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH")
> Cc: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: David Ahern <dsahern@gmail.com>

Applied and queued up for -stable, thanks David.