net/ipv6/route.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
In function rt6_nlmsg_size(), the length of nexthop is calculated
by multipling the nexthop length of fib6_info and the number of
siblings. However if the fib6_info has no lwtunnel but the siblings
have lwtunnels, the nexthop length is less than it should be, and
it will trigger a warning in inet6_rt_notify() as follows:
WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130
......
Call Trace:
<TASK>
fib6_add_rt2node+0x685/0xa30
fib6_add+0x96/0x1b0
ip6_route_add+0x50/0xd0
inet6_rtm_newroute+0x97/0xa0
rtnetlink_rcv_msg+0x156/0x3d0
netlink_rcv_skb+0x5a/0x110
netlink_unicast+0x246/0x350
netlink_sendmsg+0x250/0x4c0
sock_sendmsg+0x66/0x70
___sys_sendmsg+0x7c/0xd0
__sys_sendmsg+0x5d/0xb0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
This bug can be reproduced by script:
ip -6 addr add 2002::2/64 dev ens2
ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100
for i in 10 20 30 40 50 60 70;
do
ip link add link ens2 name ipv_$i type ipvlan
ip -6 addr add 2002::$i/64 dev ipv_$i
ifconfig ipv_$i up
done
for i in 10 20 30 40 50 60;
do
ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1
dev ipv_$i metric 100
done
ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100
This patch fixes it by adding nexthop_len of every siblings using
rt6_nh_nlmsg_size().
Fixes: beb1afac518d ("net: ipv6: Add support to dump multipath routes via RTA_MULTIPATH attribute")
Signed-off-by: Lu Wei <luwei32@huawei.com>
---
net/ipv6/route.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c180c2ef17c5..0fdb03df2287 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5533,16 +5533,17 @@ static size_t rt6_nlmsg_size(struct fib6_info *f6i)
nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size,
&nexthop_len);
} else {
+ struct fib6_info *sibling, *next_sibling;
struct fib6_nh *nh = f6i->fib6_nh;
nexthop_len = 0;
if (f6i->fib6_nsiblings) {
- nexthop_len = nla_total_size(0) /* RTA_MULTIPATH */
- + NLA_ALIGN(sizeof(struct rtnexthop))
- + nla_total_size(16) /* RTA_GATEWAY */
- + lwtunnel_get_encap_size(nh->fib_nh_lws);
+ rt6_nh_nlmsg_size(nh, &nexthop_len);
- nexthop_len *= f6i->fib6_nsiblings;
+ list_for_each_entry_safe(sibling, next_sibling,
+ &f6i->fib6_siblings, fib6_siblings) {
+ rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
+ }
}
nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws);
}
--
2.31.1On 2/22/23 1:36 AM, Lu Wei wrote:
> In function rt6_nlmsg_size(), the length of nexthop is calculated
> by multipling the nexthop length of fib6_info and the number of
> siblings. However if the fib6_info has no lwtunnel but the siblings
> have lwtunnels, the nexthop length is less than it should be, and
> it will trigger a warning in inet6_rt_notify() as follows:
>
> WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130
> ......
> Call Trace:
> <TASK>
> fib6_add_rt2node+0x685/0xa30
> fib6_add+0x96/0x1b0
> ip6_route_add+0x50/0xd0
> inet6_rtm_newroute+0x97/0xa0
> rtnetlink_rcv_msg+0x156/0x3d0
> netlink_rcv_skb+0x5a/0x110
> netlink_unicast+0x246/0x350
> netlink_sendmsg+0x250/0x4c0
> sock_sendmsg+0x66/0x70
> ___sys_sendmsg+0x7c/0xd0
> __sys_sendmsg+0x5d/0xb0
> do_syscall_64+0x3f/0x90
> entry_SYSCALL_64_after_hwframe+0x72/0xdc
>
> This bug can be reproduced by script:
>
> ip -6 addr add 2002::2/64 dev ens2
> ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100
>
> for i in 10 20 30 40 50 60 70;
> do
> ip link add link ens2 name ipv_$i type ipvlan
> ip -6 addr add 2002::$i/64 dev ipv_$i
> ifconfig ipv_$i up
> done
>
> for i in 10 20 30 40 50 60;
> do
> ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1
> dev ipv_$i metric 100
> done
>
> ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100
>
> This patch fixes it by adding nexthop_len of every siblings using
> rt6_nh_nlmsg_size().
>
> Fixes: beb1afac518d ("net: ipv6: Add support to dump multipath routes via RTA_MULTIPATH attribute")
> Signed-off-by: Lu Wei <luwei32@huawei.com>
> ---
> net/ipv6/route.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
Reviewed-by: David Ahern <dsahern@kernel.org>
© 2016 - 2025 Red Hat, Inc.