Netfilter-Devel Archive on
 help / color / Atom feed
From: Pablo Neira Ayuso <>
Subject: [PATCH 3/5] netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
Date: Wed,  4 Sep 2019 21:36:44 +0200
Message-ID: <> (raw)
In-Reply-To: <>

From: Leonardo Bras <>

If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
dealing with a IPv6 packet, it causes a kernel panic in
fib6_node_lookup_1(), crashing in bad_page_fault.

The panic is caused by trying to deference a very low address (0x38
in ppc64le), due to ipv6.fib6_main_tbl = NULL.
BUG: Kernel NULL pointer dereference at 0x00000038

The kernel panic was reproduced in a host that disabled IPv6 on boot and
have to process guest packets (coming from a bridge) using it's ip6tables.

Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
is not loaded.

Signed-off-by: Leonardo Bras <>
Acked-by: Florian Westphal <>
Signed-off-by: Pablo Neira Ayuso <>
 net/netfilter/nft_fib_netdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c
index 2cf3f32fe6d2..a2e726ae7f07 100644
--- a/net/netfilter/nft_fib_netdev.c
+++ b/net/netfilter/nft_fib_netdev.c
@@ -14,6 +14,7 @@
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_tables.h>
+#include <net/ipv6.h>
 #include <net/netfilter/nft_fib.h>
@@ -34,6 +35,8 @@ static void nft_fib_netdev_eval(const struct nft_expr *expr,
 	case ETH_P_IPV6:
+		if (!ipv6_mod_enabled())
+			break;
 		switch (priv->result) {

  parent reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-04 19:36 [PATCH 0/5] Netfilter fixes for net Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 1/5] netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 2/5] netfilter: nft_socket: fix erroneous socket assignment Pablo Neira Ayuso
2019-09-04 19:36 ` Pablo Neira Ayuso [this message]
2019-09-04 19:36 ` [PATCH 4/5] netfilter: ctnetlink: honor IPS_OFFLOAD flag Pablo Neira Ayuso
2019-09-04 19:36 ` [PATCH 5/5] netfilter: nf_flow_table: set default timeout after successful insertion Pablo Neira Ayuso
2019-09-04 22:04 ` [PATCH 0/5] Netfilter fixes for net David Miller

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netfilter-Devel Archive on

Archives are clonable:
	git clone --mirror netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ \
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone