This check was removed in commit e6f497955fb6 ("ipv6: Check GATEWAY in rtm_to_fib6_multipath_config().") as part of rt6_qualify_for ecmp(). The author correctly recognises that rt6_qualify_for_ecmp() returns false if fb_nh_gw_family is set to AF_UNSPEC, but then mistakes AF_UNSPEC for AF_INET6 when reasoning that the check is unnecessary. This means certain malformed entries don't get caught in ip6_route_multipath_add(). This patch reintroduces the AF_UNSPEC check while respecting changes of the initial patch. Reported-by: syzbot+a259a17220263c2d73fc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a259a17220263c2d73fc Fixes: e6f497955fb6 ("ipv6: Check GATEWAY in rtm_to_fib6_multipath_config().") Signed-off-by: Maksimilijan Marosevic --- net/ipv6/route.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 3299cfa12e21..d4b988bed920 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -5456,6 +5456,14 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, goto cleanup; } + if (rt->fib6_nh->fib_nh_gw_family == AF_UNSPEC) { + err = -EINVAL; + NL_SET_ERR_MSG(extack, + "Device only routes can not be added for IPv6 using the multipath API."); + fib6_info_release(rt); + goto cleanup; + } + rt->fib6_nh->fib_nh_weight = rtnh->rtnh_hops + 1; err = ip6_route_info_append(&rt6_nh_list, rt, &r_cfg); -- 2.50.1