mirror of https://github.com/torvalds/linux.git
d56b5d1634
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called which
initializes it. If bpf_redirect_neigh() is called with explicit AF_INET6
nexthop parameters, __bpf_redirect_neigh_v6() can skip the IPv6 FIB lookup
and call bpf_out_neigh_v6() directly. bpf_out_neigh_v6() then calls
ip_neigh_gw6(), which uses ipv6_stub->nd_tbl.
BUG: kernel NULL pointer dereference, address: 0000000000000248
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:skb_do_redirect+0x44f/0xf40
Call Trace:
<TASK>
? srso_alias_return_thunk+0x5/0xfbef5
? __tcf_classify.constprop.0+0x83/0x160
? srso_alias_return_thunk+0x5/0xfbef5
? tcf_classify+0x2b/0x50
? srso_alias_return_thunk+0x5/0xfbef5
? tc_run+0xb8/0x120
? srso_alias_return_thunk+0x5/0xfbef5
__dev_queue_xmit+0x6fa/0x1000
? srso_alias_return_thunk+0x5/0xfbef5
packet_sendmsg+0x10da/0x1700
? srso_alias_return_thunk+0x5/0xfbef5
__sys_sendto+0x1f3/0x220
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x101/0xf80
? exc_page_fault+0x6e/0x170
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this by adding an early check in bpf_out_neigh_v6(). If IPv6 is
disabled, drop the packet before neighbor lookup.
Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
Fixes:
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| bpf_sk_storage.c | ||
| datagram.c | ||
| dev.c | ||
| dev.h | ||
| dev_addr_lists.c | ||
| dev_addr_lists_test.c | ||
| dev_api.c | ||
| dev_ioctl.c | ||
| devmem.c | ||
| devmem.h | ||
| drop_monitor.c | ||
| dst.c | ||
| dst_cache.c | ||
| failover.c | ||
| fib_notifier.c | ||
| fib_rules.c | ||
| filter.c | ||
| flow_dissector.c | ||
| flow_offload.c | ||
| gen_estimator.c | ||
| gen_stats.c | ||
| gro.c | ||
| gro_cells.c | ||
| gso.c | ||
| hotdata.c | ||
| hwbm.c | ||
| ieee8021q_helpers.c | ||
| link_watch.c | ||
| lock_debug.c | ||
| lwt_bpf.c | ||
| lwtunnel.c | ||
| mp_dmabuf_devmem.h | ||
| neighbour.c | ||
| net-procfs.c | ||
| net-sysfs.c | ||
| net-sysfs.h | ||
| net-traces.c | ||
| net_namespace.c | ||
| net_test.c | ||
| netclassid_cgroup.c | ||
| netdev-genl-gen.c | ||
| netdev-genl-gen.h | ||
| netdev-genl.c | ||
| netdev_config.c | ||
| netdev_queues.c | ||
| netdev_rx_queue.c | ||
| netevent.c | ||
| netmem_priv.h | ||
| netpoll.c | ||
| netprio_cgroup.c | ||
| of_net.c | ||
| page_pool.c | ||
| page_pool_priv.h | ||
| page_pool_user.c | ||
| pktgen.c | ||
| ptp_classifier.c | ||
| rtnetlink.c | ||
| scm.c | ||
| secure_seq.c | ||
| selftests.c | ||
| skb_fault_injection.c | ||
| skbuff.c | ||
| skmsg.c | ||
| sock.c | ||
| sock_destructor.h | ||
| sock_diag.c | ||
| sock_map.c | ||
| sock_reuseport.c | ||
| stream.c | ||
| sysctl_net_core.c | ||
| timestamping.c | ||
| tso.c | ||
| utils.c | ||
| xdp.c | ||