[PATCH net v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
@ 2026-03-17  1:02 Xiang Mei
  2026-03-19  1:30 ` patchwork-bot+netdevbpf
  0 siblings, 1 reply; 2+ messages in thread
From: Xiang Mei @ 2026-03-17  1:02 UTC (permalink / raw)
  To: netdev; +Cc: davem, edumazet, kuba, pabeni, horms, bestswngs, Xiang Mei

When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
(success) without actually creating a socket. Callers such as
fou_create() then proceed to dereference the uninitialized socket
pointer, resulting in a NULL pointer dereference.

The captured NULL deref crash:
  BUG: kernel NULL pointer dereference, address: 0000000000000018
  RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
  [...]
  Call Trace:
    <TASK>
    genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
    genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
    [...]
    netlink_rcv_skb (net/netlink/af_netlink.c:2550)
    genl_rcv (net/netlink/genetlink.c:1219)
    netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
    netlink_sendmsg (net/netlink/af_netlink.c:1894)
    __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
    __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
    __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
    do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
    entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)

This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so
callers correctly take their error paths. There is only one caller of
the vulnerable function and only privileged users can trigger it.

Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
 include/net/udp_tunnel.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index d9c6d04bb3b5..fc1fc43345b5 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -52,7 +52,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
 static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
 				   struct socket **sockp)
 {
-	return 0;
+	return -EPFNOSUPPORT;
 }
 #endif
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
  2026-03-17  1:02 [PATCH net v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Xiang Mei
@ 2026-03-19  1:30 ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-19  1:30 UTC (permalink / raw)
  To: Xiang Mei; +Cc: netdev, davem, edumazet, kuba, pabeni, horms, bestswngs

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 16 Mar 2026 18:02:41 -0700 you wrote:
> When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
> (success) without actually creating a socket. Callers such as
> fou_create() then proceed to dereference the uninitialized socket
> pointer, resulting in a NULL pointer dereference.
> 
> The captured NULL deref crash:
>   BUG: kernel NULL pointer dereference, address: 0000000000000018
>   RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
>   [...]
>   Call Trace:
>     <TASK>
>     genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
>     genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
>     [...]
>     netlink_rcv_skb (net/netlink/af_netlink.c:2550)
>     genl_rcv (net/netlink/genetlink.c:1219)
>     netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
>     netlink_sendmsg (net/netlink/af_netlink.c:1894)
>     __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
>     __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
>     __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
>     do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
>     entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
> 
> [...]

Here is the summary with links:
  - [net,v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
    https://git.kernel.org/netdev/net/c/b3a6df291fec

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-19  1:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17  1:02 [PATCH net v2] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Xiang Mei
2026-03-19  1:30 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox