From: Sabrina Dubroca <sd@queasysnail.net>
To: Purva Yeshi <purvayeshi550@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: ipv6: Fix NULL dereference in ipv6_route_check_nh
Date: Wed, 26 Mar 2025 13:57:34 +0100 [thread overview]
Message-ID: <Z-P5vvrdA5MHMW_o@krikkit> (raw)
In-Reply-To: <20250326105215.23853-1-purvayeshi550@gmail.com>
2025-03-26, 16:22:15 +0530, Purva Yeshi wrote:
> Fix Smatch-detected error:
> net/ipv6/route.c:3427 ip6_route_check_nh() error:
> we previously assumed '_dev' could be null
I don't think this can actually happen. ip6_route_check_nh only gets
called via fib6_nh_init -> ip6_validate_gw -> ip6_route_check_nh, and
ip6_validate_gw unconditionally does dev = *_dev. Which is fine,
because its only caller (fib6_nh_init) passes &dev, so that can't be
NULL (and same for idev).
> Ensure _dev and idev are checked for NULL before dereferencing in
> ip6_route_check_nh. Assign NULL explicitly when fib_nh_dev is NULL
> to prevent unintended dereferences.
That's a separate issue (if it's really possible - I haven't checked)
than the smatch report you're quoting above. And if it is, it would
deserve a Fixes tag for the commit introducing this code.
>
> Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
> ---
> net/ipv6/route.c | 17 ++++++++++++++---
> 1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index ef2d23a1e3d5..ad5b3098eba0 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -3424,9 +3424,20 @@ static int ip6_route_check_nh(struct net *net,
> if (dev != res.nh->fib_nh_dev)
> err = -EHOSTUNREACH;
> } else {
> - *_dev = dev = res.nh->fib_nh_dev;
> - netdev_hold(dev, dev_tracker, GFP_ATOMIC);
> - *idev = in6_dev_get(dev);
> + if (res.nh->fib_nh_dev) { /* Ensure fib_nh_dev is valid */
I don't think any of these comments are particularly helpful. It's
pretty clear that you're checking for NULL/setting NULL in all those
cases.
> + dev = res.nh->fib_nh_dev;
> +
> + if (_dev) /* Only assign if _dev is not NULL */
> + *_dev = dev;
> +
> + netdev_hold(dev, dev_tracker, GFP_ATOMIC);
> + *idev = in6_dev_get(dev);
> + } else {
> + if (_dev)
> + *_dev = NULL; /* Explicitly set NULL */
> + if (idev)
> + *idev = NULL; /* Explicitly set NULL */
> + }
> }
>
> return err;
--
Sabrina
next prev parent reply other threads:[~2025-03-26 12:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 10:52 [PATCH] net: ipv6: Fix NULL dereference in ipv6_route_check_nh Purva Yeshi
2025-03-26 12:57 ` Sabrina Dubroca [this message]
2025-03-27 13:41 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-P5vvrdA5MHMW_o@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=purvayeshi550@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).