From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH net] net/ipv6: prevent use after free in
 ip6_route_mpath_notify
Date: Mon, 4 Jun 2018 13:45:43 -0700
Message-ID: <b5092b96-9e0e-c5e5-8042-06f3ce5b0c78@gmail.com>
References: <20180604204142.8941-1-dsahern@kernel.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: David Ahern <dsahern@gmail.com>, Eric Dumazet <edumazet@google.com>
To: dsahern@kernel.org, netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pg0-f66.google.com ([74.125.83.66]:42358 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750997AbeFDUpp (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 4 Jun 2018 16:45:45 -0400
Received: by mail-pg0-f66.google.com with SMTP id p9-v6so12399pgc.9
        for <netdev@vger.kernel.org>; Mon, 04 Jun 2018 13:45:45 -0700 (PDT)
In-Reply-To: <20180604204142.8941-1-dsahern@kernel.org>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>



On 06/04/2018 01:41 PM, dsahern@kernel.org wrote:
> From: David Ahern <dsahern@gmail.com>
> 
> syzbot reported a use-after-free:
> 
> BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xe9/0x100 net/ipv6/route.c:4180
> Read of size 4 at addr ffff8801bf789cf0 by task syz-executor756/4555
> 
> Fix by not setting rt_last until the it is verified the insert succeeded.
> 
> Fixes: 3b1137fe7482 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH")
> Cc: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: David Ahern <dsahern@gmail.com>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks David !