* [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop
@ 2026-04-13 11:45 Jiayuan Chen
2026-04-13 11:45 ` [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace Jiayuan Chen
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Jiayuan Chen @ 2026-04-13 11:45 UTC (permalink / raw)
To: netdev
Cc: Jiayuan Chen, David Ahern, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan,
linux-kernel, linux-kselftest
syzbot reported a panic [1] [2].
When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
of all groups containing this nexthop is not updated. This is because
nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
but the reverse direction (AF_INET6 to AF_INET) is missed.
This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
IPv6 routes to be attached to groups that effectively contain only AF_INET
members. Subsequent route lookups then call nexthop_fib6_nh() which
returns NULL for the AF_INET member, leading to a NULL pointer
dereference.
Fix by calling nh_group_v4_update whenever the family changes, not just
AF_INET to AF_INET6.
Reproducer:
# AF_INET6 blackhole
ip -6 nexthop add id 1 blackhole
# group with has_v4=false
ip nexthop add id 100 group 1
# replace with AF_INET (no -6), has_v4 stays false
ip nexthop replace id 1 blackhole
# pass stale has_v4 check
ip -6 route add 2001:db8::/64 nhid 100
# panic
ping -6 2001:db8::1
[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
Fixes: 7bf4796dd099 ("nexthops: add support for replace")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
net/ipv4/nexthop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 2c9036c719b6..11a763cbc848 100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2466,10 +2466,10 @@ static int replace_nexthop_single(struct net *net, struct nexthop *old,
goto err_notify;
}
- /* When replacing an IPv4 nexthop with an IPv6 nexthop, potentially
+ /* When replacing a nexthop with one of a different family, potentially
* update IPv4 indication in all the groups using the nexthop.
*/
- if (oldi->family == AF_INET && newi->family == AF_INET6) {
+ if (oldi->family != newi->family) {
list_for_each_entry(nhge, &old->grp_list, nh_list) {
struct nexthop *nhp = nhge->nh_parent;
struct nh_group *nhg;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace
2026-04-13 11:45 [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop Jiayuan Chen
@ 2026-04-13 11:45 ` Jiayuan Chen
2026-04-13 14:47 ` David Ahern
2026-04-13 14:46 ` [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop David Ahern
2026-04-16 12:00 ` patchwork-bot+netdevbpf
2 siblings, 1 reply; 5+ messages in thread
From: Jiayuan Chen @ 2026-04-13 11:45 UTC (permalink / raw)
To: netdev
Cc: Jiayuan Chen, David Ahern, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, Shuah Khan,
linux-kernel, linux-kselftest
Add test cases that exercise the scenario where an IPv6 nexthop is
replaced with an IPv4 nexthop while being part of a group. The group's
has_v4 flag must be updated so that subsequent IPv6 route additions are
properly rejected.
Two cases are covered:
1. Gateway nexthop replaced across families with an existing IPv6
route on the group (rejected by fib6_check_nh_list).
2. Blackhole nexthop replaced across families with no existing IPv6
route on the group (fib6_check_nh_list returns early) — this is
the path that triggers a NULL ptr deref without the kernel fix.
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
tools/testing/selftests/net/fib_nexthops.sh | 22 +++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh
index 6eb7f95e70e1..ac868a731694 100755
--- a/tools/testing/selftests/net/fib_nexthops.sh
+++ b/tools/testing/selftests/net/fib_nexthops.sh
@@ -1209,6 +1209,28 @@ ipv6_fcnal_runtime()
run_cmd "$IP ro replace 2001:db8:101::1/128 nhid 124"
log_test $? 0 "IPv6 route using a group after replacing v4 gateways"
+ # Replacing an IPv6 nexthop with an IPv4 nexthop should update has_v4
+ # for all groups using it, preventing IPv6 routes from referencing the
+ # group after the replace.
+ run_cmd "$IP nexthop add id 89 via 2001:db8:91::2 dev veth1"
+ run_cmd "$IP nexthop add id 125 group 89"
+ run_cmd "$IP nexthop replace id 89 via 172.16.1.1 dev veth1"
+ run_cmd "$IP ro replace 2001:db8:101::1/128 nhid 125"
+ log_test $? 2 "IPv6 route can not use group after v6 nexthop replaced by v4"
+
+ # Same scenario but with a blackhole nexthop: the group has no IPv6
+ # routes yet when the replace happens, so fib6_check_nh_list returns
+ # early without checking. has_v4 must still be updated to block
+ # subsequent IPv6 route additions.
+ run_cmd "$IP nexthop flush >/dev/null 2>&1"
+ run_cmd "$IP -6 nexthop add id 90 blackhole"
+ run_cmd "$IP nexthop add id 125 group 90"
+ run_cmd "$IP nexthop replace id 90 blackhole"
+ run_cmd "$IP -6 ro add 2001:db8:101::1/128 nhid 125"
+ log_test $? 2 "IPv6 route reject v6 blackhole replaced by v4 blackhole"
+ run_cmd "ip netns exec $me ping -6 2001:db8:101::1 -c1 -w$PING_TIMEOUT"
+ log_test $? 2 "Ping unreachable after rejected route"
+
$IP nexthop flush >/dev/null 2>&1
#
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop
2026-04-13 11:45 [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop Jiayuan Chen
2026-04-13 11:45 ` [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace Jiayuan Chen
@ 2026-04-13 14:46 ` David Ahern
2026-04-16 12:00 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2026-04-13 14:46 UTC (permalink / raw)
To: Jiayuan Chen, netdev
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Shuah Khan, linux-kernel, linux-kselftest
On 4/13/26 5:45 AM, Jiayuan Chen wrote:
> syzbot reported a panic [1] [2].
>
> When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
> of all groups containing this nexthop is not updated. This is because
> nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
> but the reverse direction (AF_INET6 to AF_INET) is missed.
>
> This allows a stale has_v4=false to bypass fib6_check_nexthop, causing
> IPv6 routes to be attached to groups that effectively contain only AF_INET
> members. Subsequent route lookups then call nexthop_fib6_nh() which
> returns NULL for the AF_INET member, leading to a NULL pointer
> dereference.
>
> Fix by calling nh_group_v4_update whenever the family changes, not just
> AF_INET to AF_INET6.
>
> Reproducer:
> # AF_INET6 blackhole
> ip -6 nexthop add id 1 blackhole
> # group with has_v4=false
> ip nexthop add id 100 group 1
> # replace with AF_INET (no -6), has_v4 stays false
> ip nexthop replace id 1 blackhole
> # pass stale has_v4 check
> ip -6 route add 2001:db8::/64 nhid 100
> # panic
> ping -6 2001:db8::1
>
> [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0
> [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
> Fixes: 7bf4796dd099 ("nexthops: add support for replace")
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
> net/ipv4/nexthop.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Reviewed-by: David Ahern <dsahern@kernel.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace
2026-04-13 11:45 ` [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace Jiayuan Chen
@ 2026-04-13 14:47 ` David Ahern
0 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2026-04-13 14:47 UTC (permalink / raw)
To: Jiayuan Chen, netdev
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Shuah Khan, linux-kernel, linux-kselftest
On 4/13/26 5:45 AM, Jiayuan Chen wrote:
> Add test cases that exercise the scenario where an IPv6 nexthop is
> replaced with an IPv4 nexthop while being part of a group. The group's
> has_v4 flag must be updated so that subsequent IPv6 route additions are
> properly rejected.
>
> Two cases are covered:
> 1. Gateway nexthop replaced across families with an existing IPv6
> route on the group (rejected by fib6_check_nh_list).
> 2. Blackhole nexthop replaced across families with no existing IPv6
> route on the group (fib6_check_nh_list returns early) — this is
> the path that triggers a NULL ptr deref without the kernel fix.
>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
> tools/testing/selftests/net/fib_nexthops.sh | 22 +++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
Reviewed-by: David Ahern <dsahern@kernel.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop
2026-04-13 11:45 [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop Jiayuan Chen
2026-04-13 11:45 ` [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace Jiayuan Chen
2026-04-13 14:46 ` [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop David Ahern
@ 2026-04-16 12:00 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-16 12:00 UTC (permalink / raw)
To: Jiayuan Chen
Cc: netdev, dsahern, davem, edumazet, kuba, pabeni, horms, shuah,
linux-kernel, linux-kselftest
Hello:
This series was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Mon, 13 Apr 2026 19:45:19 +0800 you wrote:
> syzbot reported a panic [1] [2].
>
> When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag
> of all groups containing this nexthop is not updated. This is because
> nh_group_v4_update is only called when replacing AF_INET to AF_INET6,
> but the reverse direction (AF_INET6 to AF_INET) is missed.
>
> [...]
Here is the summary with links:
- [net,v1,1/2] nexthop: fix IPv6 route referencing IPv4 nexthop
https://git.kernel.org/netdev/net/c/29c95185ba32
- [net,v1,2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace
https://git.kernel.org/netdev/net/c/104f082f5ed6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-16 12:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 11:45 [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop Jiayuan Chen
2026-04-13 11:45 ` [PATCH net v1 2/2] selftests: fib_nexthops: test stale has_v4 on nexthop replace Jiayuan Chen
2026-04-13 14:47 ` David Ahern
2026-04-13 14:46 ` [PATCH net v1 1/2] nexthop: fix IPv6 route referencing IPv4 nexthop David Ahern
2026-04-16 12:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox