On 10/2/19 3:23 PM, Eric Dumazet wrote:
>
>
> On 10/2/19 2:08 PM, Eric Dumazet wrote:
>>
>>
>> On 10/1/19 11:18 AM, Eric Dumazet wrote:
>>>
>>>
>>> On 9/30/19 8:28 PM, David Ahern wrote:
>>>> From: David Ahern <dsah...@gmail.com>
>>>>
>>>> Rajendra reported a kernel panic when a link was taken down:
>>>>
>>>> [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at
>>>> 00000000000000a8
>>>> [ 6870.271856] IP: [<ffffffff8efc5764>] __ipv6_ifa_notify+0x154/0x290
>>>>
>>>> <snip>
>>>>
>>>
>>> Reviewed-by: Eric Dumazet <eduma...@google.com>
>>>
>>> Thanks !
>>>
>>
>> Apparently this patch causes problems. I yet have to make an analysis.
Ugh. I presume syzbot? can you forward the stack trace?
>
> It seems we need to allow the code to do some changes if IF_READY is not set.
>
> WDYT ?
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index
> dd3be06d5a066e494617d4917c757eae19340d4d..e8181a3700213b9574ea25130689c9218236245d
> 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -4035,7 +4035,7 @@ static void addrconf_dad_work(struct work_struct *w)
> /* check if device was taken down before this delayed work
> * function could be canceled
> */
> - if (idev->dead || !(idev->if_flags & IF_READY))
> + if (idev->dead)
> goto out;
>
> spin_lock_bh(&ifp->lock);
> @@ -4083,6 +4083,11 @@ static void addrconf_dad_work(struct work_struct *w)
> goto out;
>
> write_lock_bh(&idev->lock);
> + if (!(idev->if_flags & IF_READY)) {
> + write_unlock_bh(&idev->lock);
> + goto out;
> + }
That restores the original BUG() - ie., the reason for this patch.
The IF_READY flag needs to be checked before the call to addrconf_dad_begin.
> +
> spin_lock(&ifp->lock);
> if (ifp->state == INET6_IFADDR_STATE_DEAD) {
> spin_unlock(&ifp->lock);
>
