* [BUG] Potential Null Pointer Dereference in nexthop_create_group Function
@ 2026-02-14 12:17 冯嘉仪
2026-02-14 12:35 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: 冯嘉仪 @ 2026-02-14 12:17 UTC (permalink / raw)
To: dsahern; +Cc: davem, edumazet, kuba, pabeni, netdev, linux-kernel
Dear Maintainer,
Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
Vulnerability Description:
File: net/ipv4/nexthop.c
In the function nexthop_create_group, we found the following line of code:
if (!nexthop_get(nhe)) {
The issue arises because the nhe pointer may be passed as NULL in certain situations. The statement passes the nhe pointer to nexthop_get without any check, but nexthop_get might contain a dereference operation on the nhe pointer, which could result in a null-pointer dereference.
Proposed Fix:
To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nhe pointer before attempting to pass the pointer to nexthop_get.
Request for Review:
We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
Thank you for your time and consideration.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function
2026-02-14 12:17 [BUG] Potential Null Pointer Dereference in nexthop_create_group Function 冯嘉仪
@ 2026-02-14 12:35 ` Eric Dumazet
2026-02-14 12:37 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2026-02-14 12:35 UTC (permalink / raw)
To: 冯嘉仪
Cc: dsahern, davem, kuba, pabeni, netdev, linux-kernel
On Sat, Feb 14, 2026 at 1:17 PM 冯嘉仪 <23210240148@m.fudan.edu.cn> wrote:
>
> Dear Maintainer,
>
> Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
>
> Vulnerability Description:
> File: net/ipv4/nexthop.c
> In the function nexthop_create_group, we found the following line of code:
>
> if (!nexthop_get(nhe)) {
>
> The issue arises because the nhe pointer may be passed as NULL in certain situations. The statement passes the nhe pointer to nexthop_get without any check, but nexthop_get might contain a dereference operation on the nhe pointer, which could result in a null-pointer dereference.
>
> Proposed Fix:
> To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nhe pointer before attempting to pass the pointer to nexthop_get.
>
> Request for Review:
> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
>
> Thank you for your time and consideration.
This seems legit, I am not sure why syzbot did not find it yet.
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 7b9d70f9b31c7ae6b2039cb321845b852bc81a33..1e77c241e8e1d111c75f3b12e33ea41088780fd5
100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2742,7 +2742,7 @@ static struct nexthop
*nexthop_create_group(struct net *net,
struct nh_info *nhi;
nhe = nexthop_find_by_id(net, entry[i].id);
- if (!nexthop_get(nhe)) {
+ if (!nh || !nexthop_get(nhe)) {
err = -ENOENT;
goto out_no_nh;
}
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function
2026-02-14 12:35 ` Eric Dumazet
@ 2026-02-14 12:37 ` Eric Dumazet
2026-02-14 16:16 ` David Ahern
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2026-02-14 12:37 UTC (permalink / raw)
To: 冯嘉仪
Cc: dsahern, davem, kuba, pabeni, netdev, linux-kernel
On Sat, Feb 14, 2026 at 1:35 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Sat, Feb 14, 2026 at 1:17 PM 冯嘉仪 <23210240148@m.fudan.edu.cn> wrote:
> >
> > Dear Maintainer,
> >
> > Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
> >
> > Vulnerability Description:
> > File: net/ipv4/nexthop.c
> > In the function nexthop_create_group, we found the following line of code:
> >
> > if (!nexthop_get(nhe)) {
> >
> > The issue arises because the nhe pointer may be passed as NULL in certain situations. The statement passes the nhe pointer to nexthop_get without any check, but nexthop_get might contain a dereference operation on the nhe pointer, which could result in a null-pointer dereference.
> >
> > Proposed Fix:
> > To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nhe pointer before attempting to pass the pointer to nexthop_get.
> >
> > Request for Review:
> > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
> >
> > Thank you for your time and consideration.
>
> This seems legit, I am not sure why syzbot did not find it yet.
>
typo in @nhe. Should have been
diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 7b9d70f9b31c7ae6b2039cb321845b852bc81a33..36c58e4d5f0044e43498ea915ee2079864fab1e2
100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2742,7 +2742,7 @@ static struct nexthop
*nexthop_create_group(struct net *net,
struct nh_info *nhi;
nhe = nexthop_find_by_id(net, entry[i].id);
- if (!nexthop_get(nhe)) {
+ if (!nhe || !nexthop_get(nhe)) {
err = -ENOENT;
goto out_no_nh;
}
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function
2026-02-14 12:37 ` Eric Dumazet
@ 2026-02-14 16:16 ` David Ahern
0 siblings, 0 replies; 5+ messages in thread
From: David Ahern @ 2026-02-14 16:16 UTC (permalink / raw)
To: Eric Dumazet, 冯嘉仪
Cc: davem, kuba, pabeni, netdev, linux-kernel
On 2/14/26 5:37 AM, Eric Dumazet wrote:
> On Sat, Feb 14, 2026 at 1:35 PM Eric Dumazet <edumazet@google.com> wrote:
>>
>> On Sat, Feb 14, 2026 at 1:17 PM 冯嘉仪 <23210240148@m.fudan.edu.cn> wrote:
>>>
>>> Dear Maintainer,
>>>
>>> Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
>>>
>>> Vulnerability Description:
>>> File: net/ipv4/nexthop.c
>>> In the function nexthop_create_group, we found the following line of code:
>>>
>>> if (!nexthop_get(nhe)) {
>>>
>>> The issue arises because the nhe pointer may be passed as NULL in certain situations. The statement passes the nhe pointer to nexthop_get without any check, but nexthop_get might contain a dereference operation on the nhe pointer, which could result in a null-pointer dereference.
>>>
>>> Proposed Fix:
>>> To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nhe pointer before attempting to pass the pointer to nexthop_get.
>>>
>>> Request for Review:
>>> We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
>>>
>>> Thank you for your time and consideration.
>>
>> This seems legit, I am not sure why syzbot did not find it yet.
>>
>
> typo in @nhe. Should have been
>
> diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
> index 7b9d70f9b31c7ae6b2039cb321845b852bc81a33..36c58e4d5f0044e43498ea915ee2079864fab1e2
> 100644
> --- a/net/ipv4/nexthop.c
> +++ b/net/ipv4/nexthop.c
> @@ -2742,7 +2742,7 @@ static struct nexthop
> *nexthop_create_group(struct net *net,
> struct nh_info *nhi;
>
> nhe = nexthop_find_by_id(net, entry[i].id);
> - if (!nexthop_get(nhe)) {
> + if (!nhe || !nexthop_get(nhe)) {
> err = -ENOENT;
> goto out_no_nh;
> }
rtm_new_nexthop - called with rtnl held
- nh_check_attr_group_rtnl validates all id's in the group list
- nexthop_add
+ nexthop_create_group - rtnl was never released, so if the id was
valid earlier, it is still valid so !nhe is not needed
This is why syzbot never found it; nothing to find.
^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <tencent_60BB14B216A3DFF94F6928CE@qq.com>]
* Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function
[not found] <tencent_60BB14B216A3DFF94F6928CE@qq.com>
@ 2026-02-16 10:17 ` Paolo Abeni
0 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2026-02-16 10:17 UTC (permalink / raw)
To: 冯嘉仪, dsahern
Cc: davem, edumazet, kuba, netdev, linux-kernel
On 2/14/26 1:08 PM, 冯嘉仪 wrote:
> Dear Maintainer,
>
> Our team recently developed a null-pointer-dereference (NPD)
> vulnerability detection tool, and we used it to scan the Linux Kernel
> (version 6.9.6). After manual review, we identified a potentially
> vulnerable code snippet that could lead to a null-pointer dereference
> bug. We would appreciate your expert insight to confirm whether this
> vulnerability could indeed pose a risk to the system.
>
> Vulnerability Description:
> File: net/ipv4/nexthop.c
> In the function nexthop_create_group, we found the following line of code:
>
> if (!nexthop_get(nhe)) {
>
> The issue arises because the nhe pointer may be passed as NULL in
> certain situations. The statement passes the nhe pointer to nexthop_get
> without any check, but nexthop_get might contain a dereference operation
> on the nhe pointer, which could result in a null-pointer dereference.
Indeed even this one looks like a false positive: the id existence is
previously validated by nh_check_attr_group_rtnl().
The false positive rate in your reports strongly discourages any other
feedback; you should revisited your tool, do much better human review
and provide much more and better context information before any other post.
Thanks,
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-16 10:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-14 12:17 [BUG] Potential Null Pointer Dereference in nexthop_create_group Function 冯嘉仪
2026-02-14 12:35 ` Eric Dumazet
2026-02-14 12:37 ` Eric Dumazet
2026-02-14 16:16 ` David Ahern
[not found] <tencent_60BB14B216A3DFF94F6928CE@qq.com>
2026-02-16 10:17 ` Paolo Abeni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox