git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Weiming Shi <bestswngs@gmail.com>
	Thu, 23 Apr 2026 18:38:32 +0000 (11:38 -0700)
committer	Martin KaFai Lau <martin.lau@kernel.org>
	Fri, 24 Apr 2026 01:27:18 +0000 (18:27 -0700)
commit	1081de1accb2b224516cca7071122c59532d0b22
tree	7322af30b97d42787efadbe9423f7cb3f89f912c	tree \| snapshot
parent	6451d58a355642b612f2bf948ad39108c998ac2a	commit \| diff

bpf: Fix NULL pointer dereference in bpf_skb_fib_lookup()

When tot_len is not provided by the user, bpf_skb_fib_lookup()
resolves the FIB result's output device via dev_get_by_index_rcu()
to check skb forwardability and fill in mtu_result. The returned
pointer is dereferenced without a NULL check. If the device is
concurrently unregistered, dev_get_by_index_rcu() returns NULL and
is_skb_forwardable() crashes at dev->flags:

KASAN: null-ptr-deref in range
  [0x00000000000000b0-0x00000000000000b7]
Call Trace:
  is_skb_forwardable (include/linux/netdevice.h:4365)
  bpf_skb_fib_lookup (net/core/filter.c:6446)
  bpf_prog_test_run_skb (net/bpf/test_run.c)
  __sys_bpf (kernel/bpf/syscall.c)

Add the missing NULL check, returning -ENODEV to be consistent
with how bpf_ipv4_fib_lookup() and bpf_ipv6_fib_lookup() handle
the same condition.

Fixes: 4f74fede40df ("bpf: Add mtu checking to FIB forwarding helper")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://patch.msgid.link/20260423183831.1325480-2-bestswngs@gmail.com