MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 15:03:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
e617101e56
linux-yocto/net
History
Ido Schimmel 24046d31f6 nexthop: Forbid FDB status change while nexthop is in a group 
[ Upstream commit 390b3a300d7872cef9588f003b204398be69ce08 ]

The kernel forbids the creation of non-FDB nexthop groups with FDB
nexthops:

 # ip nexthop add id 1 via 192.0.2.1 fdb
 # ip nexthop add id 2 group 1
 Error: Non FDB nexthop group cannot have fdb nexthops.

And vice versa:

 # ip nexthop add id 3 via 192.0.2.2 dev dummy1
 # ip nexthop add id 4 group 3 fdb
 Error: FDB nexthop group can only have fdb nexthops.

However, as long as no routes are pointing to a non-FDB nexthop group,
the kernel allows changing the type of a nexthop from FDB to non-FDB and
vice versa:

 # ip nexthop add id 5 via 192.0.2.2 dev dummy1
 # ip nexthop add id 6 group 5
 # ip nexthop replace id 5 via 192.0.2.2 fdb
 # echo $?
 0

This configuration is invalid and can result in a NPD [1] since FDB
nexthops are not associated with a nexthop device:

 # ip route add 198.51.100.1/32 nhid 6
 # ping 198.51.100.1

Fix by preventing nexthop FDB status change while the nexthop is in a
group:

 # ip nexthop add id 7 via 192.0.2.2 dev dummy1
 # ip nexthop add id 8 group 7
 # ip nexthop replace id 7 via 192.0.2.2 fdb
 Error: Cannot change nexthop FDB status while in a group.

[1]
BUG: kernel NULL pointer dereference, address: 00000000000003c0
[...]
Oops: Oops: 0000 [#1] SMP
CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014
RIP: 0010:fib_lookup_good_nhc+0x1e/0x80
[...]
Call Trace:
 <TASK>
 fib_table_lookup+0x541/0x650
 ip_route_output_key_hash_rcu+0x2ea/0x970
 ip_route_output_key_hash+0x55/0x80
 __ip4_datagram_connect+0x250/0x330
 udp_connect+0x2b/0x60
 __sys_connect+0x9c/0xd0
 __x64_sys_connect+0x18/0x20
 do_syscall_64+0xa4/0x2a0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: 38428d6871 ("nexthop: support for fdb ecmp nexthops")
Reported-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68c9a4d2.050a0220.3c6139.0e63.GAE@google.com/
Tested-by: syzbot+6596516dd2b635ba2350@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250921150824.149157-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-10-02 13:42:51 +02:00
..
6lowpan
9p 9p/net: fix improper handling of bogus negative read/write replies 2025-05-02 07:50:56 +02:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-17 13:36:11 +01:00
8021q net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime 2025-07-24 08:53:19 +02:00
appletalk net: appletalk: Fix use-after-free in AARP proxy probe 2025-08-01 09:47:29 +01:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-09 18:56:25 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-09 18:56:25 +02:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-09-09 18:56:27 +02:00
bluetooth Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync 2025-10-02 13:42:51 +02:00
bpf bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() 2025-02-27 04:10:50 -08:00
bpfilter
bridge net: bridge: Bounce invalid boolopts 2025-09-19 16:32:06 +02:00
caif caif: reduce stack size, again 2025-08-15 12:08:45 +02:00
can can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails 2025-09-19 16:32:06 +02:00
ceph libceph: fix invalid accesses to ceph_connection_v1_info 2025-09-19 16:32:04 +02:00
core net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS 2025-10-02 13:42:51 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-01 21:07:46 -07:00
dccp net: fix data-races around sk->sk_forward_alloc 2025-01-23 17:21:19 +01:00
devlink devlink: fix port new reply cmd type 2024-03-26 18:20:11 -04:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-01-25 15:35:41 -08:00
dsa net: dsa: microchip: linearize skb for tail-tagging switches 2025-09-09 18:56:31 +02:00
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-05-02 16:32:46 +02:00
ethtool net: ethtool: Don't call .cleanup_data when prepare_data fails 2025-04-25 10:45:07 +02:00
handshake net/handshake: Fix handshake_req_destroy_test1 2024-02-23 09:24:50 +01:00
hsr hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr 2025-09-19 16:32:06 +02:00
ieee802154 net: Rename mono_delivery_time to tstamp_type for scalabilty 2025-05-09 09:43:57 +02:00
ife net: sched: ife: fix potential use-after-free 2024-01-01 12:42:30 +00:00
ipv4 nexthop: Forbid FDB status change while nexthop is in a group 2025-10-02 13:42:51 +02:00
ipv6 minmax: add a few more MIN_T/MAX_T users 2025-09-25 11:00:10 +02:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-12-09 10:32:33 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-29 17:33:46 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp ipv6: introduce dst_rt6_info() helper 2024-12-14 19:59:35 +01:00
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-06-04 14:42:20 +02:00
mac80211 wifi: mac80211: fix incorrect type for ret 2025-09-25 11:00:05 +02:00
mac802154 mac802154: check local interfaces before deleting sdata list 2025-01-23 17:21:13 +01:00
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-09 18:56:24 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-27 11:09:02 +01:00
mptcp mptcp: propagate shutdown to subflows when possible 2025-09-25 11:00:10 +02:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-08-28 16:28:24 +02:00
netfilter netfilter: conntrack: helper: Replace -EEXIST by -EBUSY 2025-09-09 18:56:21 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-19 15:28:46 +02:00
netlink netlink: add variable-length / auto integers 2025-09-09 18:56:22 +02:00
netrom netrom: check buffer length before accessing it 2025-01-09 13:32:00 +01:00
nfc NFC: nci: uart: Set tty->disc_data only in success path 2025-06-27 11:08:48 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 12:02:02 +02:00
openvswitch net: openvswitch: Fix the dead loop of MPLS parse 2025-06-19 15:28:19 +02:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-15 12:09:05 +02:00
phonet phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() 2025-07-24 08:53:12 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:45:10 +01:00
qrtr net: qrtr: Update packets cloning when broadcasting 2024-10-04 16:29:41 +02:00
rds rds: ib: Increment i_fastreg_wrs before bailing out 2025-09-25 11:00:08 +02:00
rfkill net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer 2025-09-25 11:00:08 +02:00
rose net: rose: fix a typo in rose_clear_routes() 2025-09-04 15:30:28 +02:00
rxrpc rxrpc: Fix transmission of an abort in response to an abort 2025-07-24 08:53:20 +02:00
sched net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate 2025-08-28 16:28:49 +02:00
sctp sctp: initialize more fields in sctp_v6_from_sk() 2025-09-04 15:30:26 +02:00
smc net/smc: Remove validation of reserved bits in CLC Decline message 2025-09-09 18:56:24 +02:00
strparser strparser: Add read_sock callback 2025-02-27 04:10:50 -08:00
sunrpc Revert "SUNRPC: Don't allow waiting for exiting tasks" 2025-09-19 16:32:03 +02:00
switchdev net: switchdev: Convert blocking notification chain to a raw one 2025-03-22 12:50:39 -07:00
tipc tipc: Fix use-after-free in tipc_conn_close(). 2025-07-17 18:35:09 +02:00
tls tls: make sure to abort the stream if headers are bogus 2025-09-25 11:00:06 +02:00
unix af_unix: Don't set -ECONNRESET for consumed OOB skb. 2025-07-06 11:00:12 +02:00
vmw_vsock vsock/virtio: Validate length in packet header before skb_put() 2025-08-28 16:28:36 +02:00
wireless wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() 2025-09-09 18:56:24 +02:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:19:41 -04:00
xdp xsk: fix an integer overflow in xp_create_and_assign_umem() 2025-03-28 21:59:55 +01:00
xfrm xfrm: xfrm_alloc_spi shouldn't use 0 as SPI 2025-10-02 13:42:50 +02:00
compat.c net/compat: Update msg_control_is_user when setting a kernel pointer 2023-04-14 11:09:27 +01:00
devres.c net: devres: Correct a grammatical error 2021-06-11 12:55:28 -07:00
Kconfig
Kconfig.debug
Makefile af_unix: Remove CONFIG_UNIX_SCM. 2025-06-04 14:42:22 +02:00
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-17 15:24:35 +02:00
sysctl_net.c sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table) 2024-08-11 12:47:13 +02:00