On Wed, Jun 21, 2017 at 1:08 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Wed, Jun 21, 2017 at 10:53 AM, Andrey Konovalov > <andreyk...@google.com> wrote: >> On Wed, Jun 21, 2017 at 3:09 PM, Andrey Konovalov <andreyk...@google.com> >> wrote: >>> On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov <andreyk...@google.com> >>> wrote: >>>> Hi, >>>> >>>> I've got the following error report while fuzzing the kernel with >>>> syzkaller. >>>> >>>> On commit 9705596d08ac87c18aee32cc97f2783b7d14624e (4.12-rc6+). >>>> >>>> It might be related to: >>>> https://groups.google.com/forum/#!topic/syzkaller/ZJaqAiFLe3k >>>> >>>> I only have a reproducer in the form of a syzkaller program, attached >>>> together with my .config. >>> >>> I now have a C reproducer as well, attached. >> >> And here's a much simpler reproducer. > > Thanks a lot for your reproducer! > > I added a few printk's, and find that we somehow have rt->rt6i_idev set > to NULL but still keep it in the uncached list. ip6_dst_destroy() unlinks > it before NULL'ing, so it should not be that case.
Heck... The loopback_dev->ip6_ptr is set to NULL because of its mtu is set to smaller than IPV6_MIN_MTU, this is why we have rt->rt6i_idev NULL after a rt6_uncached_list_flush_dev()... I am thinking about a right fix.