archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 03:44:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/bridge
History
Fernando Fernandez Mancera e5e8906305 net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
initialized because inet6_init() exits before ndisc_init() is called
which initializes it. Then, if neigh_suppress is enabled and an ICMPv6
Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will
dereference ipv6_stub->nd_tbl which is NULL, passing it to
neigh_lookup(). This causes a kernel NULL pointer dereference.

 BUG: kernel NULL pointer dereference, address: 0000000000000268
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 [...]
 RIP: 0010:neigh_lookup+0x16/0xe0
 [...]
 Call Trace:
  <IRQ>
  ? neigh_lookup+0x16/0xe0
  br_do_suppress_nd+0x160/0x290 [bridge]
  br_handle_frame_finish+0x500/0x620 [bridge]
  br_handle_frame+0x353/0x440 [bridge]
  __netif_receive_skb_core.constprop.0+0x298/0x1110
  __netif_receive_skb_one_core+0x3d/0xa0
  process_backlog+0xa0/0x140
  __napi_poll+0x2c/0x170
  net_rx_action+0x2c4/0x3a0
  handle_softirqs+0xd0/0x270
  do_softirq+0x3f/0x60

Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in
the callers. This is in essence disabling NS/NA suppression when IPv6 is
disabled.

Fixes: ed842faeb2 ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Reported-by: Guruprasad C P <gurucp2005@gmail.com>
Closes: https://lore.kernel.org/netdev/CAHXs0ORzd62QOG-Fttqa2Cx_A_VFp=utE2H2VTX5nqfgs7LDxQ@mail.gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260304120357.9778-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-03-05 07:52:56 -08:00
..
netfilter Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br.c net: bridge: Install FDB for bridge MAC on VLAN 0 2025-09-23 17:10:49 -07:00
br_arp_nd_proxy.c net: bridge: Prevent unicast ARP/NS packets from being suppressed by bridge 2025-04-09 19:13:43 -07:00
br_cfm.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_cfm_netlink.c bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
br_device.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_fdb.c net: bridge: annotate data-races around fdb->{updated,used} 2026-01-09 17:36:21 -08:00
br_forward.c net: bridge: fix use-after-free due to MST port state bypass 2025-11-06 07:32:17 -08:00
br_if.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_input.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_ioctl.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mdb.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
br_mrp.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mrp_netlink.c bridge: mrp: Use hlist_head instead of list_head for mrp 2020-11-09 16:42:12 -08:00
br_mrp_switchdev.c bridge: mrp: Extend br_mrp_switchdev to detect better the errors 2021-02-16 14:47:46 -08:00
br_mst.c net: bridge: fix MST static key usage 2025-11-06 07:32:17 -08:00
br_multicast.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_multicast_eht.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_netfilter_hooks.c netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm 2025-08-27 11:53:37 +02:00
br_netfilter_ipv6.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
br_netlink.c net: bridge: correct debug message function name in br_fill_ifinfo 2025-10-14 12:13:36 -07:00
br_netlink_tunnel.c net: bridge: fix an inconsistent indentation 2024-06-05 10:04:47 +01:00
br_nf_core.c bridge: netfilter: Fix forwarding of fragmented packets 2025-05-16 16:02:06 -07:00
br_private.h bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_private_cfm.h bridge: cfm: Kernel space implementation of CFM. CCM frame RX added. 2020-10-29 18:39:43 -07:00
br_private_mcast_eht.h net: bridge: multicast: use multicast contexts instead of bridge or port 2021-07-20 05:41:19 -07:00
br_private_mrp.h net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h bridge: always declare tunnel functions 2023-05-17 21:28:58 -07:00
br_stp.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
br_stp_bpdu.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
br_stp_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_stp_timer.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
br_switchdev.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_sysfs_br.c mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
br_sysfs_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_vlan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_vlan_options.c bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_vlan_tunnel.c bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress 2026-01-04 09:45:35 -08:00
Kconfig bridge: cfm: Add BRIDGE_CFM to Kconfig. 2020-10-29 18:39:43 -07:00
Makefile net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00