From nobody Thu Apr 9 15:05:53 2026 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45BC733C198 for ; Sat, 7 Mar 2026 20:51:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916669; cv=none; b=DNKWq6CTSaMBBHcWVdp5i6taONAO5y4RqVyEYlBIU68Uhm2ex0wcMwCzxFZo/h8WqfEL+vJlQzWGFHeLoZRWZUx+d9vQIKF/M0OeBxTounsJ7S/Mq4xyvotnTplTVqnYUDR233Hx24OrWs1ZBQMyuOPjHzxpIGWSpdDMN23wRc4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916669; c=relaxed/simple; bh=Bf5K9Guvd+wyKKsJCc2nAC/L9eqTu/OMzi8p66l8bNw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LbiewSy1RaL5NOg9DrtILhlgcu/bmCwWbuOgZ8TNDr/oEeHdSMlOBpQ1c5zz4vRVoHEvRq6ee+lKgsiCxwteH1jVEmu/kbYkbSaB5oBzsmJrTEoxmLbFXvJpxL3V0AYQJelFYEbHGuuGNN8rm/xEyKqznNVXBc15EhESrXf09Mg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=gJJyfyhE; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="gJJyfyhE" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-483703e4b08so101363815e9.1 for ; Sat, 07 Mar 2026 12:51:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1772916667; x=1773521467; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=G4CFOYszHIMIOTlHDrOmB+I++aqI79L6ODIfR/9Z+VQ=; b=gJJyfyhE7omqAXPsMZRHYmO+QTvJa57lsKLSCBsWFLHYZWQm1u09ZdWHEF5uJ0cxFZ CVKceoT+7+F8Gcg2J2thM8td3lmB5We0oaj+avfYKHDJ5UsZOW8Lld5Z0Y/VvnrsjzpO 56onoGm8N6iCquxbmB/par/fbcHWeknRgh9/UKUJvLoCVryjakfU6aW+5txuL0vhh0XH ptKmOTBQVXZKGXU5XV7mRlbM6oG3azUPMnp0mY5oFXDZ4mgTyZ+Q9rc5ZxQYjpVav9Wm Pk6RbH+Rwa4Sqe0WCS3HWU05uASH/u0eK5QM8HTrrzwlYgUr92mJoSiD2sM6sMOE4Mo7 fVZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772916667; x=1773521467; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=G4CFOYszHIMIOTlHDrOmB+I++aqI79L6ODIfR/9Z+VQ=; b=r5okJSE4KogeJ4A28Nid8Z4I88RK220X5xS8Dh56taRgIHY22A7yoQEzLUCqYhkQSm +mD/sFRyEtKVWDHQIWBTEE371fRVqaIgC3/sqnMKV6mK5EYCfA4iGnb8FoSCAFAq7B3O S/xcYaJffXBCE6DG44tCDWQn5IsFynWoqxTwalvleMhJ2TIgdEZbKaFGpTePsgPWbwhl RH+MVi79JnimQSuc7gzRkt6mfoL+7e7zFjVNjhZ5fcUNbM62o+ktQbxoBtup0MDXiXVQ LWmRF1Sp+P3Rz2r4ICoNOlz3kIYmoRlbYkXKoYx2FWzpON4i9JYSECE/+RX7uTRDIhEA kfbA== X-Forwarded-Encrypted: i=1; AJvYcCVUh5+3x5zM3jkCGj/LM5UBvC5z/USZoQFGaMcQ8A8DAKHkidbnsiN06tpxTxz3YvkbuIIIPS9mp1iYagk=@vger.kernel.org X-Gm-Message-State: AOJu0Yz13NCwXcdW6HCKxps1FUuU/TAztDADEoZRiG7r7DO0NItS9Gwj qNVS1TWB2gUCoBykN2yCor8tSUD+vCu/ffxMqNtYKNzhsLnRQXNsM5sVf4UMipVNr3U= X-Gm-Gg: ATEYQzwCPrPnmOgeFFhlO3cNG5YaCUpS+1MOgy0x2cT6HbexdcmfRWvOVX0oIM3SWtm SSIymZHIRdJyW7qwshIW3HTnGBenasYG/Je9VXxY9Jiip3che8bleE/zcEGoZrfwSuxR9UvBPCo cTs43XGNquguTTi+6NNm3/FPE0T+JejZEDCn3X8S76M8tCeAnua+zNzhYDtfGN7FCRwsV7n8o9G JcwKq57ll3HiYK9jf5aj4LlBHHyv+EQoSgMpSmavgt2qDDkJ9Erv5ZTsupmA5URRUo9M4yPcyXm DL5j/8z9BOPFklv4C9/FTwGRRnrv8rHnpWhvbzIwPogSZV5NTDgNc6wGSBzK+74oCma9OAys82H 15AlqNxAZ0XbV/DIs+TD71e8F0l7POymJG4d9MlDIxtZ4cFSAq/cDmL1qtMIjIZTloj3tlg30F/ kUBOua+Zgv3w== X-Received: by 2002:a05:600c:a30f:b0:477:a71c:d200 with SMTP id 5b1f17b1804b1-4851ee9a529mr146672705e9.11.1772916666606; Sat, 07 Mar 2026 12:51:06 -0800 (PST) Received: from localhost ([189.99.238.164]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-5ffe891ca1esm5735271137.4.2026.03.07.12.51.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Mar 2026 12:51:05 -0800 (PST) From: =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= Date: Sat, 07 Mar 2026 17:50:53 -0300 Subject: [PATCH net v4 1/4] ipv6: move the disable_ipv6_mod knob to core code Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260307-net-nd_tbl_fixes-v4-1-e2677e85628c@suse.com> References: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> In-Reply-To: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> To: Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , David Ahern , Jay Vosburgh , Andrew Lunn , Hangbin Liu Cc: Fernando Fernandez Mancera , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openssh-sha256; t=1772916658; l=2327; i=rbm@suse.com; h=from:subject:message-id; bh=VUwLjPvoellOz/Idggb+FMpUF6XQP2WLQN/6ZAj5ess=; b=U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgguRCc5X8/UX9M40lkMnr//aFGOhce x5ezt8MFNUFlqYAAAAGcGF0YXR0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5AAAA QOL8kA4Qc6fShFm8SSTXdDzsjABAPF8xRLLKNE8cDJPugPSoxrouOQBc5bdkio2v/bKVwILILuH hL2sS77g8Pww= X-Developer-Key: i=rbm@suse.com; a=openssh; fpr=SHA256:pzhe0fJpYLz+3cZ33FFPhIfaUElk9CXPFFXmalIH+1g From: Jakub Kicinski From: Jakub Kicinski Make sure disable_ipv6_mod itself is not part of the IPv6 module, in case core code wants to refer to it. We will remove support for IPv6=3Dm soon, this change helps make fixes we commit before that less messy. Signed-off-by: Jakub Kicinski --- include/linux/ipv6.h | 7 ++++++- net/ipv4/af_inet.c | 6 ++++++ net/ipv6/af_inet6.c | 8 -------- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 443053a76dcf..a7421382a916 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -333,7 +333,12 @@ struct tcp6_timewait_sock { }; =20 #if IS_ENABLED(CONFIG_IPV6) -bool ipv6_mod_enabled(void); +extern int disable_ipv6_mod; + +static inline bool ipv6_mod_enabled(void) +{ + return disable_ipv6_mod =3D=3D 0; +} =20 static inline struct ipv6_pinfo *inet6_sk(const struct sock *__sk) { diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 8036e76aa1e4..c7731e300a44 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -124,6 +124,12 @@ =20 #include =20 +/* Keep the definition of IPv6 disable here for now, to avoid annoying lin= ker + * issues in case IPv6=3Dm + */ +int disable_ipv6_mod; +EXPORT_SYMBOL(disable_ipv6_mod); + /* The inetsw table contains everything that inet_create needs to * build a new socket. */ diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 23cc9b4cb2f1..4cbd45b68088 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -86,8 +86,6 @@ struct ipv6_params ipv6_defaults =3D { .autoconf =3D 1, }; =20 -static int disable_ipv6_mod; - module_param_named(disable, disable_ipv6_mod, int, 0444); MODULE_PARM_DESC(disable, "Disable IPv6 module such that it is non-functio= nal"); =20 @@ -97,12 +95,6 @@ MODULE_PARM_DESC(disable_ipv6, "Disable IPv6 on all inte= rfaces"); module_param_named(autoconf, ipv6_defaults.autoconf, int, 0444); MODULE_PARM_DESC(autoconf, "Enable IPv6 address autoconfiguration on all i= nterfaces"); =20 -bool ipv6_mod_enabled(void) -{ - return disable_ipv6_mod =3D=3D 0; -} -EXPORT_SYMBOL_GPL(ipv6_mod_enabled); - static struct ipv6_pinfo *inet6_sk_generic(struct sock *sk) { const int offset =3D sk->sk_prot->ipv6_pinfo_offset; --=20 2.53.0 From nobody Thu Apr 9 15:05:53 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B23973793AD for ; Sat, 7 Mar 2026 20:51:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916673; cv=none; b=m9MlV/xgUd2xXEywEHmW3O5DlsSPm43l3kwkQhwm4tFAtk8SPZ+VHxtqo91Q4NQgXpubCqXhAq+e1DEAG7DJvz7gjKcaKj6wbrZEFH5MYjzshLlGZ8At2al6jB0rEuY5GBzZJp2jMLaSqituMZADnW2bAlHCbHNQsMKCeJiMv0U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916673; c=relaxed/simple; bh=rQz0G09ECTye/1V+FFrPEYbTDw+YCYeHWPbDy66SMRc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kUBYyJ9nBaEyk6tCp4YETuo/YTXKojfFjtoXW9AEtYrYUbTP026a6F3hg+Kc6foLem9PAJY68c4Ejfchemcx6RNu9NLEsHjW016wvucADlZpRqPEGNmh2v0Pq1W7suDcob5kGpQlJddQIFw8vshi6a9nfy8keLCv/QKOaud3Cu0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=ITkjOxaP; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="ITkjOxaP" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-480706554beso113840695e9.1 for ; Sat, 07 Mar 2026 12:51:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1772916670; x=1773521470; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=8TEKXuJgPJhSEn7xi7NpdjtrZ7sxjabMNE5jL/D5Rdk=; b=ITkjOxaPCo833NGBF7BtbDeuTdXB9wRblgPeP69oqN5l1Jtktxi2Xc6TCW3CvFIkNc 1kPIJz1/rWvbN3UPyyd2EYL/UPBHFMj2IedioLIxaAV9CyTYodYO8EURt3rUJ3K1B6+4 beFdAx/s6lMXT4li2RGeUta4w/8Y/ytCozoUe6kkiT/HhPqy0pHmOTTmJ6iodI1MzSvx x1qc7SSbL1y1Rjy3BBjiW3BPmxYqp4YOaj63K6fE2ZSEkq6Q5P0sRPOcp1mxeDgU7pqw MK7DHz+8rES9kus4a09R85wLCkTFp1rH/+1zaUr98XoJoSKc9o8QTEN5LC/ka84sdR9n htDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772916670; x=1773521470; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8TEKXuJgPJhSEn7xi7NpdjtrZ7sxjabMNE5jL/D5Rdk=; b=rVCTTQ5JS/U/+dcf7lHWZU4Kd+nP4VJZEfKn1OJ8vyc0BXmvXAaHfNo6AQmGcmG9+v ljtm/S1ssvoLtGuNTIYRuirwkLSg+u2CzhtB+iOnuuGl8OgzHwuyNrAfaRUJ9MrsJNdI pieaxvbaRmb2jfoc9IDUQcvtfY0Qtak7gUl34HfSDIe61TMid3IiEYFih5c/hTsMqQ8J b7yb3rcWRq8twLlzl73Cfkl+kvjlg0SspvlnPlWyB+p+Ip9k74vpHOzHzAZNWOXKC/Jt VsiquEYQBBFdIiJdpQ48LiIqy8jdhKcqMcuObMAonWNxZlTnoopG0wPas1cwxhA2hhSi 3llA== X-Forwarded-Encrypted: i=1; AJvYcCXk51WBqAPI1yo29IiZB5oaMfckO2n63TIgwuaGeEkUdsJ/Zcfq+I552GyJaFrg/pjdBCe4Bi1eWXLCncI=@vger.kernel.org X-Gm-Message-State: AOJu0YzlfKu7sNkIMQ2toNDRkULYFYhX/ZyvDG8pZW5xXhEZsdMZBGIU fMPZlwDSs8Q4GWS48PnIBxzYnLbJGLX6ZHYQ/94BYBQdziugeICokH2cvOjz1wFn9xI= X-Gm-Gg: ATEYQzzJ+1inK4ROOZ6nZwBcT4yr02U7qYEwxo/lxNP1zSCLNE05was2IqHZkkuwdit NlVqxwfA2XSM8aGUD/QpUih45eznCQhqhAXHN+w09oprSxqTUEHl9JsSL6ad6UHKIPR90U1tMYH YSB4UEy8Q1a9UGXmRp8cygmmz7JaF2bl7ZBdzA8MXEU5YgHquhlTYbEQdM80i0aIimmyeO+szmz uZneLprQeHTG9rYhLF64dC/BjPhC9xRwwgnSuyXHdxPq0vSVwRiyjJCJ6kQfuw5vMHfo4XxpCzC kpZiWYFJOFJtiUGqMJtz6sVh/d9NF7EpS2/BjCTXCJ4orOyCVUvhcI9lGLCjFpm+c4M40r3aCBK TQ0X69C2DEb2JC7NIMAY1gKu9DStwdhnoRXykH+ic9PPr8BIsULxgZFBwpFpEk24e3nBtovjLxL irQoJ5APt0Yw== X-Received: by 2002:a05:600c:a00f:b0:485:358b:e80c with SMTP id 5b1f17b1804b1-485358bea63mr7375885e9.0.1772916670131; Sat, 07 Mar 2026 12:51:10 -0800 (PST) Received: from localhost ([189.99.238.164]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-5ffe88aa2d6sm5497582137.2.2026.03.07.12.51.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Mar 2026 12:51:09 -0800 (PST) From: =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= Date: Sat, 07 Mar 2026 17:50:54 -0300 Subject: [PATCH net v4 2/4] net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com> References: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> In-Reply-To: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> To: Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , David Ahern , Jay Vosburgh , Andrew Lunn , Hangbin Liu Cc: Fernando Fernandez Mancera , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openssh-sha256; t=1772916658; l=2801; i=rbm@suse.com; h=from:subject:message-id; bh=rQz0G09ECTye/1V+FFrPEYbTDw+YCYeHWPbDy66SMRc=; b=U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgguRCc5X8/UX9M40lkMnr//aFGOhce x5ezt8MFNUFlqYAAAAGcGF0YXR0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5AAAA QLCmgfW5DEXGJb2EZsh2R6vAsikXWKiPtCnscGYQnGo0rUUoES4G2ViJ1aKYt66Gh8fF8JsbZUl wHGhFS0aC1AU= X-Developer-Key: i=rbm@suse.com; a=openssh; fpr=SHA256:pzhe0fJpYLz+3cZ33FFPhIfaUElk9CXPFFXmalIH+1g When booting with the 'ipv6.disable=3D1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr(). Suggested-by: Fernando Fernandez Mancera Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") Signed-off-by: Ricardo B. Marli=C3=A8re Reviewed-by: Hangbin Liu --- drivers/net/bonding/bond_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_mai= n.c index 14ed91391fcc..33fb5f168cef 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -3377,7 +3377,7 @@ int bond_rcv_validate(const struct sk_buff *skb, stru= ct bonding *bond, } else if (is_arp) { return bond_arp_rcv(skb, bond, slave); #if IS_ENABLED(CONFIG_IPV6) - } else if (is_ipv6) { + } else if (is_ipv6 && likely(ipv6_mod_enabled())) { return bond_na_rcv(skb, bond, slave); #endif } else { --=20 2.53.0 From nobody Thu Apr 9 15:05:53 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE39C37BE6C for ; Sat, 7 Mar 2026 20:51:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916682; cv=none; b=DZFXKt79+rZFzxv1XHmXqGLiN+MhD5WOot7R3VTBeEoxkjo1OT09JY5Y1Oy2467QMm9+OMrcvgAh6iIXTx+Avaotu040d2fM2ZMNEHSdelw+6veF/mKeIRqzXxDWRc9o5cMaT9ytIEMHtuyycu/kHiaGY/OD5TxqkmcoHHdwh5g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916682; c=relaxed/simple; bh=6ZQFRvZdst5dX9ooPrNy2xeyWgmUkbigP/SKL7rpSfM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Ww2PQxwMW8KgopXuOdWTs0eFqyySeEoSaJQuEvCZXBtq82pr58F+wKzQ8hEPUoQOCI7ia2+EvX4pu68GuD3WrD0nc0F4dRkRMAYHRFIEt8E6+X4g4Us/VPIhxJpQpUTy6a6AqkbF29lmh4H7zflaY2nTh/EyYmheMh+mN3djZ3c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=EFEbyQPF; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="EFEbyQPF" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4852afd42ceso12036895e9.2 for ; Sat, 07 Mar 2026 12:51:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1772916673; x=1773521473; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=/sq24Ds5yyXWvt9Wqdyycsxol0O37NiUOJjceeuBF7w=; b=EFEbyQPFVkdmEbXFHIgdKb6x3PV1GD0BiLS3VK+Ae0oOoMgWWt9IK459EoE7UNWUTL s+Ppow+1Q626SoErzf1a2Nsq9DWo0F9O/9eNR0kd/CjHpBKip2E37eW44rVeWr65qEYC yBHeK1RObfgiEXjWTBsLHyWLxtkeYuXypbD8tRM+G/uwzhC/rst3sxJZEHSc5pO2Msj0 oYEEtF7eEbdwPGKDB1ki+vdo/5utNBUKILHVhDhZw0mrtT6iSURoXBr+LzPJPflXh15d c/vZ48gUK9LtUl9mpO3zMQlGQVM6AHoPhL8zKVynmESjGZqEVWlMxn3k87MgvFWzPwkv WZLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772916673; x=1773521473; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/sq24Ds5yyXWvt9Wqdyycsxol0O37NiUOJjceeuBF7w=; b=UkpD/teCV/xzj/0nwD9XxEC0pfFlKil0kf6VeIaQXWnV68XOZm+jF8HJ2S1dv09iPa 02QLgwlTIm6IzeSq00h8Uj1V6rNWN1EyiqAxGzgFBMUIwoFc8JTjlCaISMmhbwPquxX4 9KQQmxrZ+XXNUYLst73osIaDNF67ttuhT4UhkAoigAIIbDzIbKA6DG7g+Ku3e1dZyzpo 7AyInsLiwHkfc17uHWMyOCUgxJBqUdeOqWSU+0ve1vaAfbKQebIeRJ+jRCworEUoiLEQ 2Pqvwb1WOKUrVEeDsyKf7q4l7Trom7ksgbpUZ4qyr55VkYM+1Woje3JzBLnuOPMetzr9 NcCg== X-Forwarded-Encrypted: i=1; AJvYcCW8W09rLo8X7ddLkQcF7f3+UbtY6Z9avUpR2ZEV13JLsgDcTLc10zLuwc7HZsCGPq0W63NoIbKB0YK5f9c=@vger.kernel.org X-Gm-Message-State: AOJu0YyOllRstadegMIyK29wHclvmDyjLrfmk+yZ0Jih9dVWqNxkqi59 0SQjaKOgXymULsz7ocA26kz2mI+DPFSMDbYvJ5n6VR8+p6xB3b41q6sGoOerI5+rlEY= X-Gm-Gg: ATEYQzxn3jF0FU0EwhHys40x9wuldoqTX9Rc/VImAp4RYSgBYcJqiEDuHiQC8MM0RES BwjGbxa8AKj4HnvVRiTougMz0Es8+9EvH7gmpAVtIwKMr7LWhzI2qX34yESRbG22p5WoolWJYlU gTiG3M0EnzRyJYIgNR5eAsPEVe6Ff+GWfbdpuYA5dPwNgIUZAsxx8Xn9w5Ocjs+XahEbGxZA/FB ZHCdN7gm4WjLAL+DqDrGa5PcqtoFZZtwyrgvCBSKZAr8W77usru4VVKK5AsBE9wIzFKfmghn1p4 3f4Jsvo9c2KCC/7FLVRXHq5WvHbY0mFn+6WISp2XE1R5BRmQLSVRXd5x4aMIt4GaHpxJ/EwJccq QLlGit4Uci5oLWJGPXF4tqUJNUd4B6qFQyXpye6cZfsExKP/7lbG/8ZXthDOizv7PlqImvuvrXQ D5bklv22mpLcNywd+gvLIG X-Received: by 2002:a05:600c:1908:b0:480:3a72:524a with SMTP id 5b1f17b1804b1-4852695943emr115413335e9.19.1772916673054; Sat, 07 Mar 2026 12:51:13 -0800 (PST) Received: from localhost ([189.99.238.164]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56b0f889ed2sm4065923e0c.13.2026.03.07.12.51.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Mar 2026 12:51:12 -0800 (PST) From: =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= Date: Sat, 07 Mar 2026 17:50:55 -0300 Subject: [PATCH net v4 3/4] bpf: bpf_out_neigh_v4: Fix nd_tbl NULL dereference when IPv6 is disabled Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260307-net-nd_tbl_fixes-v4-3-e2677e85628c@suse.com> References: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> In-Reply-To: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> To: Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , David Ahern , Jay Vosburgh , Andrew Lunn , Hangbin Liu Cc: Fernando Fernandez Mancera , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openssh-sha256; t=1772916658; l=2183; i=rbm@suse.com; h=from:subject:message-id; bh=6ZQFRvZdst5dX9ooPrNy2xeyWgmUkbigP/SKL7rpSfM=; b=U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgguRCc5X8/UX9M40lkMnr//aFGOhce x5ezt8MFNUFlqYAAAAGcGF0YXR0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5AAAA QFAMmuB9+HutmVwUmvb/O9FdutNnLHcZjnU2Jh0edZO9SUOTlxUABv8/vgtIANoEqc5Nwx84eFZ jg0AOfjJVqwg= X-Developer-Key: i=rbm@suse.com; a=openssh; fpr=SHA256:pzhe0fJpYLz+3cZ33FFPhIfaUElk9CXPFFXmalIH+1g When booting with the 'ipv6.disable=3D1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bpf_redirect_neigh() is called from tc with an explicit nexthop of nh_family =3D=3D AF_INET6, bpf_out_neigh_v4() takes the AF_INET6 branch and calls ip_neigh_gw6(), which relies on ipv6_stub->nd_tbl. BUG: kernel NULL pointer dereference, address: 0000000000000248 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:skb_do_redirect+0xb93/0xf00 Call Trace: ? srso_alias_return_thunk+0x5/0xfbef5 ? __tcf_classify.constprop.0+0x83/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? tcf_classify+0x2b/0x50 ? srso_alias_return_thunk+0x5/0xfbef5 ? tc_run+0xb8/0x120 ? srso_alias_return_thunk+0x5/0xfbef5 __dev_queue_xmit+0x6fa/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? alloc_skb_with_frags+0x58/0x200 packet_sendmsg+0x10da/0x1700 ? srso_alias_return_thunk+0x5/0xfbef5 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by adding an early check in the AF_INET6 branch of bpf_out_neigh_v4(). If IPv6 is disabled, unlock RCU and drop the packet. Suggested-by: Fernando Fernandez Mancera Fixes: ba452c9e996d ("bpf: Fix bpf_redirect_neigh helper api to support sup= plying nexthop") Signed-off-by: Ricardo B. Marli=C3=A8re Acked-by: Daniel Borkmann --- net/core/filter.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 0d5d5a17acb2..ff02dbe4c94f 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2335,6 +2335,10 @@ static int bpf_out_neigh_v4(struct net *net, struct = sk_buff *skb, =20 neigh =3D ip_neigh_for_gw(rt, skb, &is_v6gw); } else if (nh->nh_family =3D=3D AF_INET6) { + if (unlikely(!ipv6_mod_enabled())) { + rcu_read_unlock(); + goto out_drop; + } neigh =3D ip_neigh_gw6(dev, &nh->ipv6_nh); is_v6gw =3D true; } else if (nh->nh_family =3D=3D AF_INET) { --=20 2.53.0 From nobody Thu Apr 9 15:05:53 2026 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACE282773DE for ; Sat, 7 Mar 2026 20:51:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916678; cv=none; b=HRp+jIEn1gCiCfxlPxLJ52gyORRZGLW6pSFwAd+DDVfcy26Oaxnj00fcXpkWxQqV6lijRZMYRyw2RYOf+etSh4iKI4YaZuUK/xxggviZewQBoKbIav/3zXkLdg1LF1YtU0mZnDcs0riBKdAa7fQJB6Zlgyz2N+Ohwbp81Vn6CUk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772916678; c=relaxed/simple; bh=LfIxcEnbfF8UcBAlQpsEC60tpSn836JRskSf+FgYy7k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=iNiKu9oXfjXYI+vCUcOZuyEJPcrqB1YNOLMpcm9OsU6SyFzVhbLF55WroRHKvQS36vS3Oom3g20t7dOMFRtiqsc2un7ZFSWpouCN9WHRMXo6BhIoZ5D08KRwJscxx1iao2NIdOLsMcWXCLdDyxRwJcWz6oqP6NG5xgdaUT+UXFE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=NyJaqgXI; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="NyJaqgXI" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4852afd42ceso12037215e9.2 for ; Sat, 07 Mar 2026 12:51:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1772916676; x=1773521476; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=+8YSb3tz18QqaSJGIXy5ZYeSWZygMaMUDj6N+n+MakU=; b=NyJaqgXIlqFmQfADBmL2KrY9It4WrL7J0rOKiK+s03mgGOTAK2bCRLgTuAe96ZtQFa 2b7xtY5kWcLPmVpZGDJBCtofd8xSMpNot3ne6FWrPRxKkvjiPqf6d3xUmduUlxbQ2pn/ 1W5R4SZs0+BjBOO+yLasxVfYLROMWaKgD3eF+Ct8iK2d2dh7uRjtgswMpgrwzWldsdhx 78Z6vsnGg0tlp9ztQOLzRsnYnWvw5q78gbXUXM64IKpXnWZNakuzGxlWNi0zSHsJ7Qz8 wXJJOKZKPq3NXKzFDCBqdgJah1Q1dJHwYuqnRUSS9MtWVtugq04oCmFvhL2x6p3LWlu3 c5QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772916676; x=1773521476; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+8YSb3tz18QqaSJGIXy5ZYeSWZygMaMUDj6N+n+MakU=; b=rZMbjV16ZMeFMT/LSoRKN/HdUgGdp8cPEEEDOxeOmvlr/4AjujECQwxJuGS8yMGOnz P+ITNHpLTgKnZNK7/sYrxxnP5BtG3MKALqQXjWeNQvWg8n+Au+95BSJ+PjEVbJVXzY7w sr954lWYtVjuQ5Xp5o2+LdqnLNTuZJqP6FK9p8AfXv97KUGAzC6zjblQAN/aihFGRFzF pimRlGpoxc19TkjCMir0Opr8jOFi/zr/uVaS0QptawWLEVcOgxh5W1nahNGjvbgCGCAk ukIldHIN+6j1PE7huKtXRpzJX24kHuFEe4RpbirBAsb4DPSAHL8xzZtu8FWJVQtPf4Q+ NtTA== X-Forwarded-Encrypted: i=1; AJvYcCWxsm4Zp5yxREykwIXbYf3tr/bQEtYTzVf3lLUCnp7cny7Xbvhlk8zmduvsqJrJRBCJy04xmfaevY7DxK0=@vger.kernel.org X-Gm-Message-State: AOJu0YzvhwhPphCJibgBkmFxvbXWgCb3CFbye2rMat8KfHNiNANvSF6f au9+t7k/of6dD/9XcfEMZW0e3xac12Sv5HJLGGQrT8sJzM/mF6RDjKEd5qJD+6yebbA= X-Gm-Gg: ATEYQzztBi6SibW5xkTS8resYKM2mcCAIYlV8mLaIahxg4hYonu0Vs/DXVV61HeI6/9 7F9RKmxLjJXHuup0+eDGbV6zIwNSFL4ZjLHHU0BHjTe/kIeveLzi2HhSMkH9oQgUjoLNBdH/b/8 eBWsMGNz5OZjwD0jLFy5TzLJg4V0NEzyOGq1gO5ObEm5kmQqudHmtQ3IB6+jEWFd3WUyd0zKux/ BPs2CSCbR3HNiGHtLKA4aVVke4ynYd9e45bX3xhKkttVz4mAYvAPOV62CpC70owhW0MtZmdv4yh BmfufA0aKLb+0zPlbgm0rXbevXBFk9+RHk7f0CBkGSUGqfJH1FfemahHP8e0xIAwIx/lJn1qbOr J2lxR0jzDFsgIHFo+hlHYnhlbjY+x0diiLxzmLZWiSqjX0cpAvrRPDk/Ux9PW/BGVLifvtOUdSp 0U1N9X++dtkQ== X-Received: by 2002:a05:600c:3e15:b0:485:2f8b:55e9 with SMTP id 5b1f17b1804b1-4852f8b5ca8mr40634795e9.26.1772916676004; Sat, 07 Mar 2026 12:51:16 -0800 (PST) Received: from localhost ([189.99.238.164]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56b09b20d3bsm5854727e0c.16.2026.03.07.12.51.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 07 Mar 2026 12:51:15 -0800 (PST) From: =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= Date: Sat, 07 Mar 2026 17:50:56 -0300 Subject: [PATCH net v4 4/4] bpf: bpf_out_neigh_v6: Fix nd_tbl NULL dereference when IPv6 is disabled Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260307-net-nd_tbl_fixes-v4-4-e2677e85628c@suse.com> References: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> In-Reply-To: <20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com> To: Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , David Ahern , Jay Vosburgh , Andrew Lunn , Hangbin Liu Cc: Fernando Fernandez Mancera , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Ricardo_B=2E_Marli=C3=A8re?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openssh-sha256; t=1772916658; l=1991; i=rbm@suse.com; h=from:subject:message-id; bh=LfIxcEnbfF8UcBAlQpsEC60tpSn836JRskSf+FgYy7k=; b=U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgguRCc5X8/UX9M40lkMnr//aFGOhce x5ezt8MFNUFlqYAAAAGcGF0YXR0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5AAAA QA78kdashxAZg6QDOFTFJ5DdZ4/gEYZMYataFMliZwhtsqkFf/nfobnSy0f0fdVlTgoSW3hutmQ V6JaQ4aFi8AE= X-Developer-Key: i=rbm@suse.com; a=openssh; fpr=SHA256:pzhe0fJpYLz+3cZ33FFPhIfaUElk9CXPFFXmalIH+1g When booting with the 'ipv6.disable=3D1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bpf_redirect_neigh() is called with explicit AF_INET6 nexthop parameters, __bpf_redirect_neigh_v6() can skip the IPv6 FIB lookup and call bpf_out_neigh_v6() directly. bpf_out_neigh_v6() then calls ip_neigh_gw6(), which uses ipv6_stub->nd_tbl. BUG: kernel NULL pointer dereference, address: 0000000000000248 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:skb_do_redirect+0x44f/0xf40 Call Trace: ? srso_alias_return_thunk+0x5/0xfbef5 ? __tcf_classify.constprop.0+0x83/0x160 ? srso_alias_return_thunk+0x5/0xfbef5 ? tcf_classify+0x2b/0x50 ? srso_alias_return_thunk+0x5/0xfbef5 ? tc_run+0xb8/0x120 ? srso_alias_return_thunk+0x5/0xfbef5 __dev_queue_xmit+0x6fa/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 packet_sendmsg+0x10da/0x1700 ? srso_alias_return_thunk+0x5/0xfbef5 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by adding an early check in bpf_out_neigh_v6(). If IPv6 is disabled, drop the packet before neighbor lookup. Suggested-by: Fernando Fernandez Mancera Fixes: ba452c9e996d ("bpf: Fix bpf_redirect_neigh helper api to support sup= plying nexthop") Signed-off-by: Ricardo B. Marli=C3=A8re Acked-by: Daniel Borkmann --- net/core/filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index ff02dbe4c94f..3344fa0789f0 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2228,6 +2228,9 @@ static int bpf_out_neigh_v6(struct net *net, struct s= k_buff *skb, return -ENOMEM; } =20 + if (unlikely(!ipv6_mod_enabled())) + goto out_drop; + rcu_read_lock(); if (!nh) { dst =3D skb_dst(skb); --=20 2.53.0