From: Sabrina Dubroca <sd@queasysnail.net>
To: Purva Yeshi <purvayeshi550@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: ipv6: Fix NULL dereference in ipv6_route_check_nh
Date: Wed, 26 Mar 2025 13:57:34 +0100 [thread overview]
Message-ID: <Z-P5vvrdA5MHMW_o@krikkit> (raw)
In-Reply-To: <20250326105215.23853-1-purvayeshi550@gmail.com>
2025-03-26, 16:22:15 +0530, Purva Yeshi wrote:
> Fix Smatch-detected error:
> net/ipv6/route.c:3427 ip6_route_check_nh() error:
> we previously assumed '_dev' could be null
I don't think this can actually happen. ip6_route_check_nh only gets
called via fib6_nh_init -> ip6_validate_gw -> ip6_route_check_nh, and
ip6_validate_gw unconditionally does dev = *_dev. Which is fine,
because its only caller (fib6_nh_init) passes &dev, so that can't be
NULL (and same for idev).
> Ensure _dev and idev are checked for NULL before dereferencing in
> ip6_route_check_nh. Assign NULL explicitly when fib_nh_dev is NULL
> to prevent unintended dereferences.
That's a separate issue (if it's really possible - I haven't checked)
than the smatch report you're quoting above. And if it is, it would
deserve a Fixes tag for the commit introducing this code.
>
> Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
> ---
> net/ipv6/route.c | 17 ++++++++++++++---
> 1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index ef2d23a1e3d5..ad5b3098eba0 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -3424,9 +3424,20 @@ static int ip6_route_check_nh(struct net *net,
> if (dev != res.nh->fib_nh_dev)
> err = -EHOSTUNREACH;
> } else {
> - *_dev = dev = res.nh->fib_nh_dev;
> - netdev_hold(dev, dev_tracker, GFP_ATOMIC);
> - *idev = in6_dev_get(dev);
> + if (res.nh->fib_nh_dev) { /* Ensure fib_nh_dev is valid */
I don't think any of these comments are particularly helpful. It's
pretty clear that you're checking for NULL/setting NULL in all those
cases.
> + dev = res.nh->fib_nh_dev;
> +
> + if (_dev) /* Only assign if _dev is not NULL */
> + *_dev = dev;
> +
> + netdev_hold(dev, dev_tracker, GFP_ATOMIC);
> + *idev = in6_dev_get(dev);
> + } else {
> + if (_dev)
> + *_dev = NULL; /* Explicitly set NULL */
> + if (idev)
> + *idev = NULL; /* Explicitly set NULL */
> + }
> }
>
> return err;
--
Sabrina
next prev parent reply other threads:[~2025-03-26 12:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 10:52 [PATCH] net: ipv6: Fix NULL dereference in ipv6_route_check_nh Purva Yeshi
2025-03-26 12:57 ` Sabrina Dubroca [this message]
2025-03-27 13:41 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-P5vvrdA5MHMW_o@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=purvayeshi550@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.