Re: [PATCH net v1] net: nexthop: fix panic when IPv4 route references IPv6 nexthop

["Jiayuan Chen" <jiayuan.chen@linux.dev>]

March 1, 2026 at 01:04, "Eric Dumazet" <edumazet@google.com mailto:edumazet@google.com?to=%22Eric%20Dumazet%22%20%3Cedumazet%40google.com%3E > wrote:


> 
> On Sat, Feb 28, 2026 at 5:33 PM David Ahern <dsahern@kernel.org> wrote:
> 
> > 
> > On 2/28/26 8:39 AM, Jakub Kicinski wrote:
> >  On Sat, 28 Feb 2026 11:13:59 +0800 Jiayuan Chen wrote:
> >  From: Jiayuan Chen <jiayuan.chen@shopee.com>
> > 
> >  fib_check_nexthop() does not validate that the nexthop family matches
> >  the route family. This allows an IPv4 route to reference an IPv6
> >  nexthop object. When the IPv4 route is looked up, __mkroute_output()
> >  accesses nhc->nhc_pcpu_rth_output which is never allocated for IPv6
> >  nexthops (fib6_nh_init does not call fib_nh_common_init), causing a
> >  NULL pointer dereference.
> > 
> >  Note that this is not about IPv4 routes with IPv6 gateways (RFC 5549),
> >  which uses an AF_INET nexthop with nhc_gw_family=AF_INET6 and properly
> >  allocates nhc_pcpu_rth_output via fib_nh_common_init(). The bug here
> >  is an AF_INET6 nexthop object being directly referenced by an IPv4
> >  route, which is an invalid combination.
> > 
> >  Add the missing family check in fib_check_nexthop(), mirroring what
> >  fib6_check_nexthop() already does for the reverse direction (rejecting
> >  IPv6 routes that reference IPv4 nexthop objects).
> > 
> >  AFAICT this breaks a bunch of tests, quickest to repro with is
> >  gre_multipath_nh.sh but you should probably run fib_nexthops.sh
> >  on your fix as well.
> > 
> >  nothing to fix. The patch is wrong. IPv4 supports IPv6 gateways; that is
> >  a known feature.
> > 
> >  please post the stack trace for the panic
> > 
> https://lore.kernel.org/all/698f8482.a70a0220.2c38d7.00ca.GAE@google.com/T/
>


My bad, the previous fix was wrong - IPv4 routes referencing IPv6
nexthop objects is totally via this path.

The crash actually only happens with loopback nexthops, e.g.:

    ip nexthop add id 100 via fe80::1 dev lo

In fib6_nh_init(), nexthop objects always have fc_dst=:: (no
destination prefix), so fib6_is_reject() returns true for any
nexthop using loopback device. This causes it to skip
fib_nh_common_init(), leaving nhc_pcpu_rth_output, nhc_exceptions
and nhc_rth_input all NULL. When an IPv4 route later references
this nexthop, __mkroute_output() hits raw_cpu_ptr(NULL) and crashes.

The simplest fix is just allocating nhc_pcpu_rth_output in the
reject path of fib6_nh_init(). The release path already handles
it correctly.


diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c0350d97307e..4e7c44101709 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3643,6 +3643,12 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
                                goto out;
                        }
                }
+               fib6_nh->nh_common.nhc_pcpu_rth_output =
+                       alloc_percpu_gfp(struct rtable __rcu *, gfp_flags);
+               if (!fib6_nh->nh_common.nhc_pcpu_rth_output) {
+                       err = -ENOMEM;
+                       goto out;
+               }
                goto pcpu_alloc;
        }


./fib_nexthops.sh
Tests passed: 244
Tests failed:   0
Tests skipped:  2
root@bms-ytl-d1-ap