From: Fernando Fernandez Mancera <fmancera@suse.de>
To: Guruprasad C P <gurucp2005@gmail.com>, netdev@vger.kernel.org
Subject: Re: [BUG] Kernel Panic in br_do_suppress_nd when ipv6.disable=1 (NULL pointer dereference)
Date: Fri, 27 Feb 2026 00:44:10 +0100 [thread overview]
Message-ID: <ee078ea8-dba3-4494-91ff-bcc5907ef689@suse.de> (raw)
In-Reply-To: <d71fbf78-4950-42c1-b941-b6356f42c74e@suse.de>
On 2/26/26 4:11 PM, Fernando Fernandez Mancera wrote:
> On 2/26/26 12:14 AM, Guruprasad C P wrote:
>> We have identified a 100% reproducible kernel panic in the bridge
>> driver (|net/bridge/br_arp_nd_proxy.c|) on kernels up to at least 5.15
>> and 6.x.
>>
>> *Description:* The crash occurs when the kernel is booted with |
>> ipv6.disable=1| and a bridge port has |neigh_suppress| enabled. When
>> the bridge receives an ICMPv6 Neighbor Solicitation, it attempts to
>> perform a lookup in the neighbor table via |ipv6_stub->nd_tbl|.
>> Because IPv6 was disabled at boot, |nd_tbl| is NULL, leading to an
>> immediate dereference panic.
>>
>
> This is a nice catch. The key here is that inet6_init() is exiting
> before ndisc_init() is called.
>
> Hm I wonder if there are more parts of the kernel where this might be a
> problem. I noticed several uses of ipv6_stub->nd_tbl that relies on
> IS_ENABLED(CONFIG_IPV6) check..
>
> I am writing a patch for this.
>
> Thank you!
Hi,
I have sent a patch fixing this [1].
FWIW, I have created a much simpler reproducer that triggers this
immediately. Check it out below.
[1] https://lore.kernel.org/netdev/20260226234059.19402-1-fmancera@suse.de/
$ cat nd_crash.sh
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
echo "Root is required"
exit 1
fi
ip link add name br-crash type bridge
ip link set dev br-crash up
ip link add name dummy-supp type dummy
ip link set dev dummy-supp master br-crash
ip link set dev dummy-supp up
if ! ip link set dev dummy-supp type bridge_slave neigh_suppress 1
2>/dev/null; then
bridge link set dev dummy-supp neigh_suppress on
fi
ip link add veth-in type veth peer name veth-out
ip link set dev veth-in master br-crash
ip link set dev veth-in up
ip link set dev veth-out up
python3 - <<EOF
from scapy.all import Ether, IPv6, ICMPv6ND_NS, sendp
import time
time.sleep(1)
eth = Ether(dst="33:33:ff:00:00:01", src="00:11:22:33:44:55", type=0x86dd)
ip6 = IPv6(src="fe80::1", dst="ff02::1:ff00:1")
nd = ICMPv6ND_NS(tgt="fe80::2")
packet = eth / ip6 / nd
sendp(packet, iface="veth-out", verbose=False)
EOF
ip link del dev br-crash 2>/dev/null
ip link del dev veth-in 2>/dev/null
ip link del dev dummy-supp 2>/dev/null
prev parent reply other threads:[~2026-02-26 23:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-25 23:14 [BUG] Kernel Panic in br_do_suppress_nd when ipv6.disable=1 (NULL pointer dereference) Guruprasad C P
2026-02-26 15:11 ` Fernando Fernandez Mancera
2026-02-26 23:44 ` Fernando Fernandez Mancera [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee078ea8-dba3-4494-91ff-bcc5907ef689@suse.de \
--to=fmancera@suse.de \
--cc=gurucp2005@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox