From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C29D430BA2; Mon, 2 Mar 2026 06:23:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.133.104.62 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772432635; cv=none; b=IROPTicgm5JhLsuDqU3RIQ+h4YbjCpamgixqwzlIq0hVv55neSsNHDm68XrCLUAcRth442T9LsAwd2GQFmCUngeDQhe+tdUR93Gq3HvN/xGvAWQsYSXUAExhFIWusWEEdcEKwbaXbAuh3yg0zRdvWC8TutmbwOzu4pbqs29C/PA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772432635; c=relaxed/simple; bh=ETFAMKvM2p+aTqiHy/mq+6EI4H7X8Cu5PUgu/h3dUVE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=fOVG5GS6wJtCVmgBkT9c89i1/8Zw4jJnhlqYQzY598lOCUhb7sm1Z1SSX/3LWIhRy9A6CsUvz0zGaU7lP51lRnLTGWNiBQJcAjiA6/1mWVvugDoF82Mz4lmEAXRfnhWqMdqGbYEKt+pdSD/d8FQRkebRKuzvREaC5ohnxxV7xag= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net; spf=pass smtp.mailfrom=iogearbox.net; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b=VwLbdIak; arc=none smtp.client-ip=213.133.104.62 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=iogearbox.net header.i=@iogearbox.net header.b="VwLbdIak" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iogearbox.net; s=default2302; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=el70PQUy5TDt030EAxyWMSUU/k9z7ERBjTCSg7M8Na0=; b=VwLbdIakXpCpmLaFT52E/b6VME szGqKfUR9tCmoPsPwrrqO//KJhRs7ViAVKa/VOtWppWzGoPQLkhmlh/vXdlb+rr77k4+KdTDG8Ulv cCUe8xn+DTeU4BiSfTf+gRm3cYv5WGkkSN+kniFlUkFGxlwdnGVen2NxnWDu1/X7QSoGP0tC7VYqH QKTIUrwir0flKtPc0ben86Mdg/CB0doC5aW3e35GmDlLsj/+KeMM+8l4Jn2V4mrMkcEmhGld8cnrm PPuwqjeP+DDwZxdDpIPhg7kkhSvyKLFBU9nZmr1f2mC7vl0Vxpz3auwOhjvasuY22rijwJF2gVtk3 kVUqdSRw==; Received: from sslproxy07.your-server.de ([78.47.199.104]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1vwwJG-0000C3-33; Mon, 02 Mar 2026 06:59:15 +0100 Received: from localhost ([127.0.0.1]) by sslproxy07.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vwwJE-000L55-2d; Mon, 02 Mar 2026 06:59:13 +0100 Message-ID: <0b52257d-d557-4f26-9931-34c81ab621bc@iogearbox.net> Date: Mon, 2 Mar 2026 06:58:46 +0100 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net 1/3] bpf: bpf_out_neigh_v4: Fix nd_tbl NULL dereference when IPv6 is disabled To: =?UTF-8?Q?Ricardo_B=2E_Marli=C3=A8re?= , Martin KaFai Lau , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , =?UTF-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , David Ahern , Jay Vosburgh , Andrew Lunn , Hangbin Liu Cc: Fernando Fernandez Mancera , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20260228-net-nd_tbl_fixes-v1-0-2b2a274df9bb@suse.com> <20260228-net-nd_tbl_fixes-v1-1-2b2a274df9bb@suse.com> Content-Language: en-US From: Daniel Borkmann Autocrypt: addr=daniel@iogearbox.net; keydata= xsFNBGNAkI0BEADiPFmKwpD3+vG5nsOznvJgrxUPJhFE46hARXWYbCxLxpbf2nehmtgnYpAN 2HY+OJmdspBntWzGX8lnXF6eFUYLOoQpugoJHbehn9c0Dcictj8tc28MGMzxh4aK02H99KA8 VaRBIDhmR7NJxLWAg9PgneTFzl2lRnycv8vSzj35L+W6XT7wDKoV4KtMr3Szu3g68OBbp1TV HbJH8qe2rl2QKOkysTFRXgpu/haWGs1BPpzKH/ua59+lVQt3ZupePpmzBEkevJK3iwR95TYF 06Ltpw9ArW/g3KF0kFUQkGXYXe/icyzHrH1Yxqar/hsJhYImqoGRSKs1VLA5WkRI6KebfpJ+ RK7Jxrt02AxZkivjAdIifFvarPPu0ydxxDAmgCq5mYJ5I/+BY0DdCAaZezKQvKw+RUEvXmbL 94IfAwTFA1RAAuZw3Rz5SNVz7p4FzD54G4pWr3mUv7l6dV7W5DnnuohG1x6qCp+/3O619R26 1a7Zh2HlrcNZfUmUUcpaRPP7sPkBBLhJfqjUzc2oHRNpK/1mQ/+mD9CjVFNz9OAGD0xFzNUo yOFu/N8EQfYD9lwntxM0dl+QPjYsH81H6zw6ofq+jVKcEMI/JAgFMU0EnxrtQKH7WXxhO4hx 3DFM7Ui90hbExlFrXELyl/ahlll8gfrXY2cevtQsoJDvQLbv7QARAQABzSZEYW5pZWwgQm9y a21hbm4gPGRhbmllbEBpb2dlYXJib3gubmV0PsLBkQQTAQoAOxYhBCrUdtCTcZyapV2h+93z cY/jfzlXBQJjQJCNAhsDBQkHhM4ACAsJCAcNDAsKBRUKCQgLAh4BAheAAAoJEN3zcY/jfzlX dkUQAIFayRgjML1jnwKs7kvfbRxf11VI57EAG8a0IvxDlNKDcz74mH66HMyhMhPqCPBqphB5 ZUjN4N5I7iMYB/oWUeohbuudH4+v6ebzzmgx/EO+jWksP3gBPmBeeaPv7xOvN/pPDSe/0Ywp dHpl3Np2dS6uVOMnyIsvmUGyclqWpJgPoVaXrVGgyuer5RpE/a3HJWlCBvFUnk19pwDMMZ8t 0fk9O47HmGh9Ts3O8pGibfdREcPYeGGqRKRbaXvcRO1g5n5x8cmTm0sQYr2xhB01RJqWrgcj ve1TxcBG/eVMmBJefgCCkSs1suriihfjjLmJDCp9XI/FpXGiVoDS54TTQiKQinqtzP0jv+TH 1Ku+6x7EjLoLH24ISGyHRmtXJrR/1Ou22t0qhCbtcT1gKmDbTj5TcqbnNMGWhRRTxgOCYvG0 0P2U6+wNj3HFZ7DePRNQ08bM38t8MUpQw4Z2SkM+jdqrPC4f/5S8JzodCu4x80YHfcYSt+Jj ipu1Ve5/ftGlrSECvy80ZTKinwxj6lC3tei1bkI8RgWZClRnr06pirlvimJ4R0IghnvifGQb M1HwVbht8oyUEkOtUR0i0DMjk3M2NoZ0A3tTWAlAH8Y3y2H8yzRrKOsIuiyKye9pWZQbCDu4 ZDKELR2+8LUh+ja1RVLMvtFxfh07w9Ha46LmRhpCzsFNBGNAkI0BEADJh65bNBGNPLM7cFVS nYG8tqT+hIxtR4Z8HQEGseAbqNDjCpKA8wsxQIp0dpaLyvrx4TAb/vWIlLCxNu8Wv4W1JOST wI+PIUCbO/UFxRy3hTNlb3zzmeKpd0detH49bP/Ag6F7iHTwQQRwEOECKKaOH52tiJeNvvyJ pPKSKRhmUuFKMhyRVK57ryUDgowlG/SPgxK9/Jto1SHS1VfQYKhzMn4pWFu0ILEQ5x8a0RoX k9p9XkwmXRYcENhC1P3nW4q1xHHlCkiqvrjmWSbSVFYRHHkbeUbh6GYuCuhqLe6SEJtqJW2l EVhf5AOp7eguba23h82M8PC4cYFl5moLAaNcPHsdBaQZznZ6NndTtmUENPiQc2EHjHrrZI5l kRx9hvDcV3Xnk7ie0eAZDmDEbMLvI13AvjqoabONZxra5YcPqxV2Biv0OYp+OiqavBwmk48Z P63kTxLddd7qSWbAArBoOd0wxZGZ6mV8Ci/ob8tV4rLSR/UOUi+9QnkxnJor14OfYkJKxot5 hWdJ3MYXjmcHjImBWplOyRiB81JbVf567MQlanforHd1r0ITzMHYONmRghrQvzlaMQrs0V0H 5/sIufaiDh7rLeZSimeVyoFvwvQPx5sXhjViaHa+zHZExP9jhS/WWfFE881fNK9qqV8pi+li 2uov8g5yD6hh+EPH6wARAQABwsF8BBgBCgAmFiEEKtR20JNxnJqlXaH73fNxj+N/OVcFAmNA kI0CGwwFCQeEzgAACgkQ3fNxj+N/OVfFMhAA2zXBUzMLWgTm6iHKAPfz3xEmjtwCF2Qv/TT3 KqNUfU3/0VN2HjMABNZR+q3apm+jq76y0iWroTun8Lxo7g89/VDPLSCT0Nb7+VSuVR/nXfk8 R+OoXQgXFRimYMqtP+LmyYM5V0VsuSsJTSnLbJTyCJVu8lvk3T9B0BywVmSFddumv3/pLZGn 17EoKEWg4lraXjPXnV/zaaLdV5c3Olmnj8vh+14HnU5Cnw/dLS8/e8DHozkhcEftOf+puCIl Awo8txxtLq3H7KtA0c9kbSDpS+z/oT2S+WtRfucI+WN9XhvKmHkDV6+zNSH1FrZbP9FbLtoE T8qBdyk//d0GrGnOrPA3Yyka8epd/bXA0js9EuNknyNsHwaFrW4jpGAaIl62iYgb0jCtmoK/ rCsv2dqS6Hi8w0s23IGjz51cdhdHzkFwuc8/WxI1ewacNNtfGnorXMh6N0g7E/r21pPeMDFs rUD9YI1Je/WifL/HbIubHCCdK8/N7rblgUrZJMG3W+7vAvZsOh/6VTZeP4wCe7Gs/cJhE2gI DmGcR+7rQvbFQC4zQxEjo8fNaTwjpzLM9NIp4vG9SDIqAm20MXzLBAeVkofixCsosUWUODxP owLbpg7pFRJGL9YyEHpS7MGPb3jSLzucMAFXgoI8rVqoq6si2sxr2l0VsNH5o3NgoAgJNIg= In-Reply-To: <20260228-net-nd_tbl_fixes-v1-1-2b2a274df9bb@suse.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: Clear (ClamAV 1.4.3/27927/Sun Mar 1 08:24:39 2026) Hi Ricardo, On 2/28/26 6:46 PM, Ricardo B. Marlière wrote: > When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never > initialized because inet6_init() exits before ndisc_init() is called which > initializes it. If bpf_redirect_neigh() is called from tc with an explicit > nexthop of nh_family == AF_INET6, bpf_out_neigh_v4() takes the AF_INET6 > branch and calls ip_neigh_gw6(), which relies on ipv6_stub->nd_tbl. > > BUG: kernel NULL pointer dereference, address: 0000000000000248 > Oops: Oops: 0000 [#1] SMP NOPTI > RIP: 0010:skb_do_redirect+0xb93/0xf00 > Call Trace: > > ? srso_alias_return_thunk+0x5/0xfbef5 > ? __tcf_classify.constprop.0+0x83/0x160 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? tcf_classify+0x2b/0x50 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? tc_run+0xb8/0x120 > ? srso_alias_return_thunk+0x5/0xfbef5 > __dev_queue_xmit+0x6fa/0x1000 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? alloc_skb_with_frags+0x58/0x200 > packet_sendmsg+0x10da/0x1700 > ? srso_alias_return_thunk+0x5/0xfbef5 > __sys_sendto+0x1f3/0x220 > __x64_sys_sendto+0x24/0x30 > do_syscall_64+0x101/0xf80 > ? exc_page_fault+0x6e/0x170 > ? srso_alias_return_thunk+0x5/0xfbef5 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > Fix this by adding an early check in the AF_INET6 branch of > bpf_out_neigh_v4(). If ipv6_stub->nd_tbl is NULL, unlock RCU and drop the > packet. > > Suggested-by: Fernando Fernandez Mancera > Fixes: ba452c9e996d ("bpf: Fix bpf_redirect_neigh helper api to support supplying nexthop") > Signed-off-by: Ricardo B. Marlière > --- > net/core/filter.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 0d5d5a17acb2..9ab2fae3a0d9 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -2335,6 +2335,10 @@ static int bpf_out_neigh_v4(struct net *net, struct sk_buff *skb, > > neigh = ip_neigh_for_gw(rt, skb, &is_v6gw); > } else if (nh->nh_family == AF_INET6) { > + if (!ipv6_stub->nd_tbl) { > + rcu_read_unlock(); > + goto out_drop; > + } Can we just completely get rid of allowing IPv6 as a module? So either its built-in or not available at all, and then we can get rid of the stub completely rather than adding checks in various places which also brings a small performance benefit of not having indirect calls in some places. Thanks, Daniel