syzbot <syzbot+1e0edc4b8b7494c28...@syzkaller.appspotmail.com> wrote:

I *think* the reproducer boils down to the attached, but I can't get syzkaller
to work and the attached sample does not cause the oops to occur.  Can you try
it in your environment?

> The bug was bisected to:
> 
> commit 46894a13599a977ac35411b536fb3e0b2feefa95
> Author: David Howells <dhowe...@redhat.com>
> Date:   Thu Oct 4 08:32:28 2018 +0000
> 
>     rxrpc: Use IPv4 addresses throught the IPv6

This might not be the correct bisection point.  If you look at the attached
sample, you're mixing AF_INET and AF_INET6.  If you try AF_INET throughout,
that might get a different point.  On the other hand, since you've bound the
socket, the AF_INET6 passed to socket() should be ignored.

David
---
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/rxrpc.h>

static const unsigned char inet4_addr[4] = {
        0xe0, 0x00, 0x00, 0x01
};

int main(void)
{
        struct sockaddr_rxrpc srx;
        int fd;

        memset(&srx, 0, sizeof(srx));
        srx.srx_family                  = AF_RXRPC;
        srx.srx_service                 = 0;
        srx.transport_type              = AF_INET;
        srx.transport_len               = sizeof(srx.transport.sin);
        srx.transport.sin.sin_family    = AF_INET;
        srx.transport.sin.sin_port      = htons(0x4e21);
        memcpy(&srx.transport.sin.sin_addr, inet4_addr, 4);

        fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
        if (fd == -1) {
                perror("socket");
                exit(1);
        }

        if (bind(fd, (struct sockaddr *)&srx, sizeof(srx)) == -1) {
                perror("bind");
                exit(1);
        }

        sleep(20);

        // Whilst sleeping, hit with:
        // echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only 224.0.0.1 20001
        
        return 0;
}

Reply via email to