Re: general protection fault in fib_dump_info (2)

[Nikolay Aleksandrov]

On 8/21/20 6:27 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    da2968ff Merge tag 'pci-v5.9-fixes-1' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=137316ca900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a0437fdd630bee11
> dashboard link: https://syzkaller.appspot.com/bug?extid=a61aa19b0c14c8770bd9
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> userspace arch: i386
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12707051900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1150a046900000
>
> The issue was bisected to:
>
> commit 0b5e2e39739e861fa5fc84ab27a35dbe62a15330
> Author: David Ahern <dsahern@xxxxxxxxx>
> Date:   Tue May 26 18:56:16 2020 +0000
>
>      nexthop: Expand nexthop_is_multipath in a few places

This seems like a much older bug to me, the code allows to pass 0 groups and
thus we end up without any nh_grp_entry pointers. I reproduced it with a
modified iproute2 that sends an empty NHA_GROUP and then just uses the new
nexthop in any way (e.g. add a route with it). This is the same bug as the
earlier report for: "general protection fault in fib_check_nexthop"

I have a patch but I'll be able to send it tomorrow.

Cheers,
 Nik