MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
6200d2e7ea
linux-yocto/net
History
Ido Schimmel 8dd4aa0122 nexthop: Forbid FDB status change while nexthop is in a group 
[ Upstream commit 390b3a300d7872cef9588f003b204398be69ce08 ]

The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:

 # ip nexthop add id 1 via 192.0.2.1 fdb
 # ip nexthop add id 2 group 1
 Error: Non FDB nexthop group cannot have fdb nexthops.

And vice versa:

 # ip nexthop add id 3 via 192.0.2.2 dev dummy1
 # ip nexthop add id 4 group 3 fdb
 Error: FDB nexthop group can only have fdb nexthops.

However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:

 # ip nexthop add id 5 via 192.0.2.2 dev dummy1
 # ip nexthop add id 6 group 5
 # ip nexthop replace id 5 via 192.0.2.2 fdb
 # echo $?
 0

This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:

 # ip route add 198.51.100.1/32 nhid 6
 # ping 198.51.100.1

Fix by preventing nexthop FDB status change while the nexthop is in a
group:

 # ip nexthop add id 7 via 192.0.2.2 dev dummy1
 # ip nexthop add id 8 group 7
 # ip nexthop replace id 7 via 192.0.2.2 fdb
 Error: Cannot change nexthop FDB status while in a group.

[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
 <TASK>
 fib_table_lookup+0x541/0x650
 ip_route_output_key_hash_rcu+0x2ea/0x970
 ip_route_output_key_hash+0x55/0x80
 __ip4_datagram_connect+0x250/0x330
 udp_connect+0x2b/0x60
 __sys_connect+0x9c/0xd0
 __x64_sys_connect+0x18/0x20
 do_syscall_64+0xa4/0x2a0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: 38428d6871 ("nexthop: support for fdb ecmp nexthops")
Reported-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68c9a4d2.050a0220.3c6139.0e63.GAE@google.com/
Tested-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250921150824.149157-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-10-02 13:48:31 +02:00
..
6lowpan
9p netfs: Fix the request's work item to not require a ref 2025-05-21 14:35:20 +02:00
802 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
8021q net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime 2025-07-17 07:44:26 -07:00
appletalk net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-09 19:02:27 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-09 19:02:27 +02:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-09-09 19:02:34 +02:00
bluetooth Bluetooth: MGMT: Fix possible UAFs 2025-10-02 13:48:31 +02:00
bpf
bridge net: bridge: Bounce invalid boolopts 2025-09-19 16:37:36 +02:00
caif caif: reduce stack size, again 2025-08-15 16:38:40 +02:00
can can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails 2025-09-19 16:37:37 +02:00
ceph libceph: fix invalid accesses to ceph_connection_v1_info 2025-09-19 16:37:33 +02:00
core net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS 2025-10-02 13:48:31 +02:00
dcb
devlink devlink: let driver opt out of automatic phys_port_name generation 2025-08-28 16:34:42 +02:00
dns_resolver
dsa net: dsa: tag_brcm: legacy: fix pskb_may_pull length 2025-05-30 19:20:18 -07:00
ethernet
ethtool Including fixes from bluetooth and wireless. 2025-06-12 09:50:36 -07:00
handshake
hsr hsr: hold rcu and dev lock for hsr_get_port_ndev 2025-09-19 16:37:38 +02:00
ieee802154 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ife
ipv4 nexthop: Forbid FDB status change while nexthop is in a group 2025-10-02 13:48:31 +02:00
ipv6 net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
iucv
kcm net: kcm: Fix race condition in kcm_unattach() 2025-08-20 18:40:52 +02:00
key net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
l2tp l2tp: do not use sock_hold() in pppol2tp_session_get_sock() 2025-09-04 16:55:43 +02:00
l3mdev
lapb treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llc net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
mac80211 wifi: mac80211: fix incorrect type for ret 2025-09-25 11:16:42 +02:00
mac802154
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-09 19:02:27 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-17 18:21:59 -07:00
mptcp mptcp: pm: nl: announce deny-join-id0 flag 2025-09-25 11:16:53 +02:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-08-20 18:41:19 +02:00
netfilter netfilter: nft_set_pipapo: fix null deref for empty set 2025-09-19 16:37:39 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-05 08:03:38 -07:00
netlink genetlink: fix genl_bind() invoking bind() after -EPERM 2025-09-19 16:37:35 +02:00
netrom treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nfc NFC: nci: uart: Set tty->disc_data only in success path 2025-06-19 08:33:54 -07:00
nsh
openvswitch openvswitch: Allocate struct ovs_pcpu_storage dynamically 2025-06-17 14:47:46 +02:00
packet net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
phonet net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
psample
qrtr
rds rds: ib: Increment i_fastreg_wrs before bailing out 2025-09-25 11:16:50 +02:00
rfkill net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer 2025-09-25 11:16:50 +02:00
rose net: rose: fix a typo in rose_clear_routes() 2025-09-04 16:55:50 +02:00
rxrpc rxrpc: Fix untrusted unsigned subtract 2025-09-25 11:16:43 +02:00
sched net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate 2025-08-28 16:34:49 +02:00
sctp net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
shaper
smc net/smc: fix warning in smc_rx_splice() when calling get_page() 2025-10-02 13:48:30 +02:00
strparser strparser: Remove unused __strp_unpause 2025-05-05 16:48:12 -07:00
sunrpc Revert "SUNRPC: Don't allow waiting for exiting tasks" 2025-09-19 16:37:29 +02:00
switchdev
tipc net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
tls tls: make sure to abort the stream if headers are bogus 2025-09-25 11:16:45 +02:00
unix net: remove sock_i_uid() 2025-09-09 19:02:26 +02:00
vmw_vsock vsock/virtio: Validate length in packet header before skb_put() 2025-08-28 16:34:25 +02:00
wireless wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() 2025-09-09 19:02:25 +02:00
x25 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
xdp xsk: Fix immature cq descriptor production 2025-09-19 16:37:29 +02:00
xfrm xfrm: fix offloading of cross-family tunnels 2025-10-02 13:48:29 +02:00
compat.c
devres.c
Kconfig net: Kconfig NET_DEVMEM selects GENERIC_ALLOCATOR 2025-05-27 17:31:42 -07:00
Kconfig.debug
Makefile
socket.c net: annotate races around sk->sk_uid 2025-08-15 16:38:40 +02:00
sysctl_net.c