[PATCH AUTOSEL 6.18] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Yiqi Sun <sunyiqixm@gmail.com>, Jakub Kicinski <kuba@kernel.org>,
	Sasha Levin <sashal@kernel.org>,
	davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
	pabeni@redhat.com, andreas.a.roeseler@gmail.com,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH AUTOSEL 6.18] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
Date: Mon, 20 Apr 2026 09:21:36 -0400	[thread overview]
Message-ID: <20260420132314.1023554-302-sashal@kernel.org> (raw)
In-Reply-To: <20260420132314.1023554-1-sashal@kernel.org>

From: Yiqi Sun <sunyiqixm@gmail.com>

[ Upstream commit fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 ]

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will cause a kernel crash with
null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to
define a specific response for the case where an IPv6 interface
identifier is syntactically valid but the implementation cannot perform
the lookup at runtime, and silently dropping the request may safer than
misreporting "No Such Interface".

Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
Link: https://patch.msgid.link/20260402070419.2291578-1-sunyiqixm@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Error: Failed to generate final synthesis

 net/ipv4/icmp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index b39176b620785..980aa17f3534d 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1145,6 +1145,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
 			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
 				goto send_mal_query;
 			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+			/*
+			 * If IPv6 identifier lookup is unavailable, silently
+			 * discard the request instead of misreporting NO_IF.
+			 */
+			if (IS_ERR(dev))
+				return false;
+
 			dev_hold(dev);
 			break;
 #endif
-- 
2.53.0

next prev parent reply	other threads:[~2026-04-20 13:32 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260420132314.1023554-1-sashal@kernel.org>
2026-04-20 13:16 ` [PATCH AUTOSEL 7.0-5.10] FDDI: defxx: Rate-limit memory allocation errors Sasha Levin
2026-04-20 13:16 ` [PATCH AUTOSEL 6.18] xsk: fix XDP_UMEM_SG_FLAG issues Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-5.10] net: rose: reject truncated CLEAR_REQUEST frames in state machines Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 6.18] netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-6.18] net: mana: hardening: Validate adapter_mtu from MANA_QUERY_DEV_CONFIG Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-5.10] enic: add V2 SR-IOV VF device ID Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-6.6] ipv6: move IFA_F_PERMANENT percpu allocation in process scope Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 6.18] netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 6.18] net: increase IP_TUNNEL_RECURSION_LIMIT to 5 Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-6.1] net: lan743x: fix SGMII detection on PCI1xxxx B0+ during warm reset Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 7.0-5.10] vmxnet3: Suppress page allocation warning for massive Rx Data ring Sasha Levin
2026-04-20 13:17 ` [PATCH AUTOSEL 6.18] xfrm: Wait for RCU readers during policy netns exit Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] ixgbe: stop re-reading flash on every get_drvinfo for e610 Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] devlink: Fix incorrect skb socket family dumping Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 7.0-6.12] net: sfp: add quirk for ZOERAX SFP-2.5G-T Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 7.0-6.18] ipv6: discard fragment queue earlier if there is malformed datagram Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] af_unix: read UNIX_DIAG_VFS data under unix_state_lock Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] xfrm: fix refcount leak in xfrm_migrate_policy_find Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] selftests: net: bridge_vlan_mcast: wait for h1 before querier check Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 6.18] xsk: tighten UMEM headroom validation to account for tailroom and min frame Sasha Levin
2026-04-20 13:18 ` [PATCH AUTOSEL 7.0-5.15] gve: fix SW coalescing when hw-GRO is used Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] netfilter: ip6t_eui64: reject invalid MAC header for all packets Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] l2tp: Drop large packets with UDP encap Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0-5.10] net: ethernet: ravb: Disable interrupts when closing device Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0] dsa: tag_mxl862xx: set dsa_default_offload_fwd_mark() Sasha Levin
2026-04-20 13:34   ` Daniel Golle
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0-6.1] ipv4: validate IPV4_DEVCONF attributes properly Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group dump Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] net: ipa: fix event ring index not programmed for IPA v5.0+ Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0-5.10] net: core: allow netdev_upper_get_next_dev_rcu from bh context Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] net: txgbe: leave space for null terminators on property_entry Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0-5.10] net: initialize sk_rx_queue_mapping in sk_clone() Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 7.0-6.19] gve: Advertise NETIF_F_GRO_HW instead of NETIF_F_LRO Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] netfilter: conntrack: add missing netlink policy validations Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] rtnetlink: add missing netlink_ns_capable() check for peer netns Sasha Levin
2026-04-20 13:19 ` [PATCH AUTOSEL 6.18] ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 7.0-6.1] net: sched: cls_u32: Avoid memcpy() false-positive warning in u32_init_knode() Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] xsk: respect tailroom for ZC setups Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 7.0-6.18] tcp: use WRITE_ONCE() for tsoffset in tcp_v6_connect() Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] net: mdio: realtek-rtl9300: use scoped device_for_each_child_node loop Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 7.0-6.12] net: ethernet: mtk_eth_soc: avoid writing to ESW registers on MT7628 Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] ipvs: fix NULL deref in ip_vs_add_service error path Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 7.0-6.18] net: hsr: emit notification for PRP slave2 changed hw addr on port deletion Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 7.0-5.10] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] xfrm: account XFRMA_IF_ID in aevent size calculation Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry Sasha Levin
2026-04-20 13:20 ` [PATCH AUTOSEL 6.18] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 7.0-5.10] net: hamradio: bpqether: validate frame length in bpq_rcv() Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] netfilter: ctnetlink: ensure safe access to master conntrack Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 7.0-6.18] hinic3: Add msg_send_lock for message sending concurrecy Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 7.0] netfilter: require Ethernet MAC header before using eth_hdr() Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] net: sched: act_csum: validate nested VLAN headers Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] dt-bindings: net: Fix Tegra234 MGBE PTP clock Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] net: ioam6: fix OOB and missing lock Sasha Levin
2026-04-20 13:21 ` Sasha Levin [this message]
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] nfc: s3fwrn5: allocate rx skb before consuming bytes Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] xsk: validate MTU against usable frame size on bind Sasha Levin
2026-04-20 13:21 ` [PATCH AUTOSEL 6.18] xfrm_user: fix info leak in build_mapping() Sasha Levin
2026-04-20 13:22 ` [PATCH AUTOSEL 6.18] net: lapbether: handle NETDEV_PRE_TYPE_CHANGE Sasha Levin
2026-04-20 13:22 ` [PATCH AUTOSEL 6.18] net: airoha: Fix memory leak in airoha_qdma_rx_process() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b39176b62078 dfblob:980aa17f3534 )
 OR (
bs:"[PATCH AUTOSEL 6.18] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260420132314.1023554-302-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=andreas.a.roeseler@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=sunyiqixm@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox