From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.uniroma2.it (smtp.uniroma2.it [160.80.4.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 229B4364E92; Tue, 28 Apr 2026 22:49:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=160.80.4.37 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777416551; cv=none; b=PB+2qA/vhByvgpY+SRcKwnhCKbNRc6JPS6yrVtiG/Zl/g3XxSCKbg0sYsQyBycvTEW3NJk1njKYz5C2GWGvvopv4kb0qIrObyf5ZHYhrfx7IkuXHQHunc01QKvGxe68ARGWaRoFbf3FwtxjNSUgJ9/21ant6Ux1V7BkGk82YZH8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777416551; c=relaxed/simple; bh=nLEfbRIRvnlwTITh/nE8m/FFx0nDjwrbG1AUcQ7QqoY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QcYfyPoZYa/3q6pdmJSYbjUKzaHY50SKo/fBdb+WdQEjINEbil+6NpCpXVRNeKtGyWVdVww9nrc6dq81kdVgPsBrcYPrWvB+49Jc3VXIZAWF0Ky7dGzK5vfUuOJjBfbPKnTeG0t9UOf70pC30xSvNGWKxzfQWojcV2Tr3UdBOok= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniroma2.it; spf=pass smtp.mailfrom=uniroma2.it; arc=none smtp.client-ip=160.80.4.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uniroma2.it Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uniroma2.it Received: from localhost.localdomain ([160.80.103.126]) by smtp-2015.uniroma2.it (8.14.4/8.14.4/Debian-8) with ESMTP id 63SMmTio003354; Wed, 29 Apr 2026 00:48:34 +0200 From: Andrea Mayer To: "David S . Miller" , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: Alexander Aring , Justin Iurman , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, stefano.salsano@uniroma2.it, Andrea Mayer Subject: [PATCH net] ipv6: rpl: add NULL check for idev in ipv6_rpl_srh_rcv() Date: Wed, 29 Apr 2026 00:48:16 +0200 Message-Id: <20260428224816.11223-1-andrea.mayer@uniroma2.it> X-Mailer: git-send-email 2.20.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.100.0 at smtp-2015 X-Virus-Status: Clean ipv6_rpl_srh_rcv() dereferences idev from __in6_dev_get() without a NULL check when reading idev->cnf.rpl_seg_enabled. When the device's MTU drops below IPV6_MIN_MTU, addrconf_ifdown() clears dev->ip6_ptr through RCU_INIT_POINTER(), which is immediately visible to concurrent readers. A packet that already passed the idev check in ip6_rcv_core() can race with this and hit a NULL pointer dereference. Reproduced by flooding traffic through a route with RPL source routing while rapidly flapping the receiving interface's MTU between 1500 and 1200: BUG: KASAN: null-ptr-deref in ipv6_rpl_srh_rcv+0xae/0x1050 Read of size 4 at addr 00000000000006b4 by task ping6/318 CPU: 0 UID: 0 PID: 318 Comm: ping6 Not tainted 7.1.0-rc1-micro-vm-dev-g46f74a3f7d57 #82 PREEMPT(full) Call Trace: kasan_report+0xc6/0x100 ipv6_rpl_srh_rcv+0xae/0x1050 ip6_protocol_deliver_rcu+0x717/0x960 ip6_input_finish+0xa3/0x1b0 ip6_input+0xdc/0x490 ipv6_rcv+0x338/0x460 __netif_receive_skb_one_core+0xd1/0x130 process_backlog+0x2c7/0x9f0 __napi_poll.constprop.0+0x51/0x270 net_rx_action+0x322/0x730 handle_softirqs+0x119/0x640 do_softirq+0xae/0xe0 Add a NULL check for idev after __in6_dev_get() and drop the skb if idev is NULL, consistent with the SRv6 fix in commit 064137935262 ("ipv6: add NULL checks for idev in SRv6 paths"). Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr") Cc: stable@vger.kernel.org Signed-off-by: Andrea Mayer --- net/ipv6/exthdrs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index 03cbce842c1a..e398a8851031 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -499,6 +499,10 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb) u32 r; idev = __in6_dev_get(skb->dev); + if (!idev) { + kfree_skb(skb); + return -1; + } accept_rpl_seg = min(READ_ONCE(net->ipv6.devconf_all->rpl_seg_enabled), READ_ONCE(idev->cnf.rpl_seg_enabled)); -- 2.20.1