From: Jakub Kicinski <kuba@kernel.org>
To: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: netdev@vger.kernel.org, Jiayuan Chen <jiayuan.chen@shopee.com>,
syzbot+334190e097a98a1b81bb@syzkaller.appspotmail.com,
David Ahern <dsahern@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v1] net: nexthop: fix panic when IPv4 route references IPv6 nexthop
Date: Sat, 28 Feb 2026 07:39:59 -0800 [thread overview]
Message-ID: <20260228073959.0ef1b33f@kernel.org> (raw)
In-Reply-To: <20260228031400.163009-1-jiayuan.chen@linux.dev>
On Sat, 28 Feb 2026 11:13:59 +0800 Jiayuan Chen wrote:
> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>
> fib_check_nexthop() does not validate that the nexthop family matches
> the route family. This allows an IPv4 route to reference an IPv6
> nexthop object. When the IPv4 route is looked up, __mkroute_output()
> accesses nhc->nhc_pcpu_rth_output which is never allocated for IPv6
> nexthops (fib6_nh_init does not call fib_nh_common_init), causing a
> NULL pointer dereference.
>
> Note that this is not about IPv4 routes with IPv6 gateways (RFC 5549),
> which uses an AF_INET nexthop with nhc_gw_family=AF_INET6 and properly
> allocates nhc_pcpu_rth_output via fib_nh_common_init(). The bug here
> is an AF_INET6 nexthop object being directly referenced by an IPv4
> route, which is an invalid combination.
>
> Add the missing family check in fib_check_nexthop(), mirroring what
> fib6_check_nexthop() already does for the reverse direction (rejecting
> IPv6 routes that reference IPv4 nexthop objects).
AFAICT this breaks a bunch of tests, quickest to repro with is
gre_multipath_nh.sh but you should probably run fib_nexthops.sh
on your fix as well.
> Reproducer:
>
> unshare -rn
> ip link set lo up
> ip nexthop add id 100 via fe80::1 dev lo
> ip route add 172.20.20.0/24 nhid 100
> ping -c1 172.20.20.1
--
pw-bot: cr
next prev parent reply other threads:[~2026-02-28 15:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-28 3:13 [PATCH net v1] net: nexthop: fix panic when IPv4 route references IPv6 nexthop Jiayuan Chen
2026-02-28 15:39 ` Jakub Kicinski [this message]
2026-02-28 16:33 ` David Ahern
2026-02-28 17:04 ` Eric Dumazet
2026-03-01 1:57 ` Jiayuan Chen
2026-03-01 18:05 ` David Ahern
2026-03-01 18:11 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260228073959.0ef1b33f@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=jiayuan.chen@shopee.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+334190e097a98a1b81bb@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.