From: Ido Schimmel <idosch@nvidia.com>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netdev@vger.kernel.org, amwang@redhat.com, sdf@fomichev.me,
petrm@nvidia.com, razor@blackwall.org, pabeni@redhat.com,
kuba@kernel.org, edumazet@google.com, davem@davemloft.net,
andrew+netdev@lunn.ch
Subject: Re: [PATCH net] net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
Date: Sun, 1 Mar 2026 17:54:13 +0200 [thread overview]
Message-ID: <20260301155413.GA755501@shredder> (raw)
In-Reply-To: <20260227112701.3990-1-fmancera@suse.de>
On Fri, Feb 27, 2026 at 12:27:01PM +0100, Fernando Fernandez Mancera wrote:
> When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
> initialized because inet6_init() exits before ndisc_init() is called
> which initializes it. If an IPv6 packet is injected into the interface,
> route_shortcircuit() is called and a NULL pointer dereference happens on
> neigh_lookup().
[...]
>
> Fix this by adding an early check on route_shortcircuit() when protocol
> is IPv6. If ipv6_stub->nd_tbl is NULL, return false.
>
> Fixes: e15a00aafa4b ("vxlan: add ipv6 route short circuit support")
> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
> ---
> drivers/net/vxlan/vxlan_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
> index 05558b6afecd..cbb9d1a2d8f9 100644
> --- a/drivers/net/vxlan/vxlan_core.c
> +++ b/drivers/net/vxlan/vxlan_core.c
> @@ -2130,6 +2130,8 @@ static bool route_shortcircuit(struct net_device *dev, struct sk_buff *skb)
> {
> struct ipv6hdr *pip6;
>
> + if (!ipv6_stub->nd_tbl)
I was wondering why neigh_reduce() doesn't need a similar fix, but then
I realized that's probably because of the __in6_dev_get() check earlier
in the function. Maybe do the same here for consistency and mention that
it relies on commit 804b09be09f8 ("vxlan: Add RCU read-side critical
sections in the Tx path")?
If you still prefer the current approach, then I would use
ipv6_mod_enabled() instead of the NULL check.
> + return false;
> if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
> return false;
> pip6 = ipv6_hdr(skb);
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-03-01 15:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-27 11:27 [PATCH net] net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled Fernando Fernandez Mancera
2026-03-01 15:54 ` Ido Schimmel [this message]
2026-03-01 18:23 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260301155413.GA755501@shredder \
--to=idosch@nvidia.com \
--cc=amwang@redhat.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fmancera@suse.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=sdf@fomichev.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.