From nobody Mon Apr 6 18:22:52 2026 Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B854E3D3480 for ; Wed, 18 Mar 2026 13:07:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773839239; cv=none; b=KcmDmmUnYc4dg0RmU1cMIePNTZ8+Qaf51jyAeJgrQNZ5iIka2DipxIVGzLIZPmpCM3/vmB4YurBISg0MwG/kWzDBIh7EE94gz7i9q/cusLEwf9oz+WGGlXePH8Scvwwc17dTKrt2dOpcUbmwuSE5Fe9PZ3NaTue5822u25n0XYQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773839239; c=relaxed/simple; bh=/YLu3y1CSogJTOYaN7dniVTLrC7NplDkc1b++DawAlc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qTgYcQISGqtx0dnrgHF73cf/U5WZwOfX9bqBW1hHExiKXBh0rcN5DlBwe4uxjrT4SlJGj+LOYsUPgOgGoyBXwU5pI1jyqAKqf75vZq8RoxObziHdZFKwVjnzNESXRS07SAj94D3D7bq7GfF3YckmGUc01nbMmln2DOcdfuEEXYE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mXRPpDo/; arc=none smtp.client-ip=209.85.215.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mXRPpDo/" Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-c73c990a96dso2639860a12.0 for ; Wed, 18 Mar 2026 06:07:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773839238; x=1774444038; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=UlA2lxgENF5EO6jhXnXzDUkGu8a8O+pH6v9wcDNEMhY=; b=mXRPpDo/ONY3QlklvAAOpKKRzhXa7zHzzuCKXQUSkOQuccVfGPzvdoNMr2yZOlmxuv 5qDNxowPCeIRg5Z1a7Br02TwEKybOplOYrFMkyA099KItEFHoEZUgEyp8vBrvz87GBOW CY4GquwYzIIusyEg8OXW5BqS6HJcshpMISgwPX5OxfwjHBh7JzE5apwuiBreh5yJ8lmR DJlpQvt/7jgizKFJ6lTusTAF4Yk57gre21eIW6AVmDnG9qrAfnFHFAfj5k4Ps4YtQOQ7 hxj9DGs69K5Iftk/22ZsdyNYmYQlSruSSRb4GcZh7+8zEVRZYb67Ff75wm7iMGo5aKYL 73/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773839238; x=1774444038; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UlA2lxgENF5EO6jhXnXzDUkGu8a8O+pH6v9wcDNEMhY=; b=hVqDo89uQ7Ls+Gud9YAyzM7U63rGzE3Nq/Izz4ahedxIPxpdZw8mo7kcaupD99vXCD DLAT9mAb53yKKNoaPyMRk5cpdokgBane4Tq/KQR8GYdzTtBcmJlriAQkvRwp8dJ5ldBO kEViUjBhX4pTw0/hguyrdgz850eg6pFDUxKFxYE+tkH3VD1qOtCyfFyvLndmBYpF87rB duDsJCW5knYh1eyU+KTXTch8RpiLCXT6FrRoJa0Hm4TjClAgwTUXVP7fGEbcuq0PO3vX H3Bi2ufbZqLkQkrK3wAE0AGXHqJbvhhk+jn/m276FbPZ5aIWlJcnWVdma1/Sh4LF+g4u F8Sg== X-Forwarded-Encrypted: i=1; AJvYcCUM+WOYvWAPt798IooMpYIOnGVZAKrArfIfYN9j1TaUr3wAnPE7prFXDFwQTiL3CgJEsymWE5gQ9erL8zM=@vger.kernel.org X-Gm-Message-State: AOJu0YzL5VlrGbV8Agqa3eYcCnvihrjTRY3xWyuU3BmOUCbUuJU3hEHs xGW2wvmZinNEsWQoGy5Iz9GwjIjYOJVJUz+qYf6OQn+ZMKZSQoFfxMxPunqJPKhCi+HhDE2W X-Gm-Gg: ATEYQzwIfyrpvUWOd53ErmfOPjBcA57SeAf7lWmNotW7CBPO+c7ouz14cNc5RFknPM0 z07kRfwW3HpNOlGCFBQEhSUS/Pnw0O0fl6i3cF3/R6lVNt7iaZix2VKqRN9T3kPxXnfXo8T0E4u 4U2Vc2m0RNyCJcwtESv9TCx7565q+GTBvvjQC8Sf2rnxQ8lqdnKBxMA+C5CmHOsBNSJCdZLrV5h gOy9MD+7ydoGEDqXqTAL5CAnGcclwD5TKU4gRpEcwJ2I5tkDylmDfxXlmKVheVv84W55l9/dv9Y ojE0zFjyWsgBXHq0GzKSv/24+vJjKfV23Y9xq/z+VWky2RLvIXwccGtNuu+Ei7uMtLm0H4NDXWi AhcRq8ZQlhPm8nN2z05JD91tXz4fNTQHDeNNzmtcrvlUMpdoAZvI7Nt1cJ72bwCKvd49erqTB3z 7s5ZnLAQzG2j9O4iVA+wFawbA4rK5u2TFmXgiB0tFzihwNxlNbjDQqJJiX944F/oBvVEfAFH/Dj SOdAMjaIls= X-Received: by 2002:a17:903:f8c:b0:2b0:52f7:faa1 with SMTP id d9443c01a7336-2b06e44aeb6mr34312335ad.48.1773839237854; Wed, 18 Mar 2026 06:07:17 -0700 (PDT) Received: from SLSGDTSWING002.tail0ac356.ts.net ([129.126.109.177]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b06e604e7bsm38049005ad.63.2026.03.18.06.07.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Mar 2026 06:07:17 -0700 (PDT) From: bestswngs@gmail.com To: security@kernel.org Cc: edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, xmei5@asu.edu, Weiming Shi Subject: [PATCH net] icmp: fix NULL pointer dereference in icmp_tag_validation() Date: Wed, 18 Mar 2026 21:06:01 +0800 Message-ID: <20260318130558.1050247-4-bestswngs@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Weiming Shi icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffff= c0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation. Fixes: 8ed1dc44d3e9 ("ipv4: introduce hardened ip_no_pmtu_disc mode") Reported-by: Xiang Mei Signed-off-by: Weiming Shi --- net/ipv4/icmp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index a62b4c4033cc..568bd1e95d44 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -1079,10 +1079,12 @@ static void icmp_socket_deliver(struct sk_buff *skb= , u32 info) =20 static bool icmp_tag_validation(int proto) { + const struct net_protocol *ipprot; bool ok; =20 rcu_read_lock(); - ok =3D rcu_dereference(inet_protos[proto])->icmp_strict_tag_validation; + ipprot =3D rcu_dereference(inet_protos[proto]); + ok =3D ipprot ? ipprot->icmp_strict_tag_validation : false; rcu_read_unlock(); return ok; } --=20 2.43.0