Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Ido Schimmel 390b3a300d nexthop: Forbid FDB status change while nexthop is in a group 
The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:

 # ip nexthop add id 1 via 192.0.2.1 fdb
 # ip nexthop add id 2 group 1
 Error: Non FDB nexthop group cannot have fdb nexthops.

And vice versa:

 # ip nexthop add id 3 via 192.0.2.2 dev dummy1
 # ip nexthop add id 4 group 3 fdb
 Error: FDB nexthop group can only have fdb nexthops.

However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:

 # ip nexthop add id 5 via 192.0.2.2 dev dummy1
 # ip nexthop add id 6 group 5
 # ip nexthop replace id 5 via 192.0.2.2 fdb
 # echo $?
 0

This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:

 # ip route add 198.51.100.1/32 nhid 6
 # ping 198.51.100.1

Fix by preventing nexthop FDB status change while the nexthop is in a
group:

 # ip nexthop add id 7 via 192.0.2.2 dev dummy1
 # ip nexthop add id 8 group 7
 # ip nexthop replace id 7 via 192.0.2.2 fdb
 Error: Cannot change nexthop FDB status while in a group.

[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
 <TASK>
 fib_table_lookup+0x541/0x650
 ip_route_output_key_hash_rcu+0x2ea/0x970
 ip_route_output_key_hash+0x55/0x80
 __ip4_datagram_connect+0x250/0x330
 udp_connect+0x2b/0x60
 __sys_connect+0x9c/0xd0
 __x64_sys_connect+0x18/0x20
 do_syscall_64+0xa4/0x2a0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: 38428d6871 ("nexthop: support for fdb ecmp nexthops")
Reported-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68c9a4d2.050a0220.3c6139.0e63.GAE@google.com/
Tested-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250921150824.149157-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-09-23 17:01:05 -07:00
..
6lowpan net: replace ND_PRINTK with dynamic debug 2025-07-10 15:27:32 -07:00
9p
802 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
8021q net: s/dev_close_many/netif_close_many/ 2025-07-18 17:27:47 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-24 11:10:46 -07:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-04 09:53:44 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-03 17:06:30 -07:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-08-31 17:01:35 +02:00
bluetooth Bluetooth: MGMT: Fix possible UAFs 2025-09-22 10:30:00 -04:00
bpf bpf: Add attach_type field to bpf_link 2025-07-11 10:51:55 -07:00
bridge net: bridge: Bounce invalid boolopts 2025-09-08 18:23:40 -07:00
caif caif: reduce stack size, again 2025-06-23 16:58:43 -07:00
can can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails 2025-09-10 17:12:05 +02:00
ceph libceph: fix invalid accesses to ceph_connection_v1_info 2025-09-10 21:22:56 +02:00
core net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS 2025-09-23 16:51:26 -07:00
dcb
devlink devlink rate: Remove unnecessary 'static' from a couple places 2025-09-18 07:47:18 -07:00
dns_resolver
dsa net: s/dev_close_many/netif_close_many/ 2025-07-18 17:27:47 -07:00
ethernet
ethtool net: ethtool: handle EOPNOTSUPP from ethtool get_ts_info() method 2025-09-12 17:09:10 -07:00
handshake net/handshake: Add new parameter 'HANDSHAKE_A_ACCEPT_KEYRING' 2025-07-08 15:31:44 +02:00
hsr hsr: hold rcu and dev lock for hsr_get_port_ndev 2025-09-11 11:49:19 +02:00
ieee802154 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ife
ipv4 nexthop: Forbid FDB status change while nexthop is in a group 2025-09-23 17:01:05 -07:00
ipv6 ipv6: annotate data-races around devconf->rpl_seg_enabled 2025-09-02 17:01:06 -07:00
iucv s390/drivers: Explicitly include <linux/export.h> 2025-06-17 18:18:02 +02:00
kcm net: kcm: Fix race condition in kcm_unattach() 2025-08-13 18:18:33 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-24 11:10:46 -07:00
l2tp l2tp: do not use sock_hold() in pppol2tp_session_get_sock() 2025-08-27 17:16:13 -07:00
l3mdev
lapb treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llc net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
mac80211 wifi: mac80211: do not permit 40 MHz EHT operation on 5/6 GHz 2025-08-28 13:39:16 +02:00
mac802154
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-03 17:01:52 -07:00
mpls net: s/dev_get_flags/netif_get_flags/ 2025-07-18 17:27:47 -07:00
mptcp mptcp: tfo: record 'deny join id0' info 2025-09-15 18:12:05 -07:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-06-12 18:21:59 -07:00
netfilter netfilter: nf_tables: restart set lookup on base_seq change 2025-09-10 20:30:37 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-05 08:03:38 -07:00
netlink genetlink: fix genl_bind() invoking bind() after -EPERM 2025-09-08 17:50:36 -07:00
netrom treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-19 13:00:24 -07:00
nsh
openvswitch net: openvswitch: allow providing upcall pid for the 'execute' command 2025-07-07 14:30:39 -07:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-04 17:21:27 -07:00
phonet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-17 11:00:33 -07:00
psample
qrtr
rds rds: ib: Increment i_fastreg_wrs before bailing out 2025-09-15 16:47:53 -07:00
rfkill net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer 2025-09-17 12:37:05 +02:00
rose net: rose: fix a typo in rose_clear_routes() 2025-08-27 17:27:52 -07:00
rxrpc rxrpc: Fix untrusted unsigned subtract 2025-09-14 13:05:22 -07:00
sched net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate 2025-08-20 19:27:08 -07:00
sctp sctp: initialize more fields in sctp_v6_from_sk() 2025-08-27 17:15:21 -07:00
shaper
smc net/smc: fix warning in smc_rx_splice() when calling get_page() 2025-09-19 16:44:05 -07:00
strparser net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
sunrpc SUNRPC: call xs_sock_process_cmsg for all cmsg 2025-09-06 16:51:26 -04:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-10 10:10:49 -07:00
tls tls: make sure to abort the stream if headers are bogus 2025-09-18 12:43:54 +02:00
unix Networking changes for 6.17. 2025-07-30 08:58:55 -07:00
vmw_vsock vsock/virtio: Fix message iterator handling on transmit path 2025-08-21 17:49:19 -07:00
wireless wifi: nl80211: completely disable per-link stats for now 2025-09-11 08:50:31 +02:00
x25 net/x25: Remove unused x25_terminate_link() 2025-07-14 17:19:13 -07:00
xdp xsk: Fix immature cq descriptor production 2025-09-09 15:09:55 -07:00
xfrm xfrm: fix offloading of cross-family tunnels 2025-09-15 11:35:06 +02:00
Kconfig net: Kconfig: add endif/endmenu comments 2025-07-22 18:17:23 -07:00
Kconfig.debug
Makefile
compat.c
devres.c
socket.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
sysctl_net.c