Merge branch 'fix-the-null-pointer-dereference-issue-in-bpf_lwt_xmit_push_encap'

Feng Yang says: ==================== Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap Changes in v10: - Patch simplification. Thanks, Martin KaFai Lau. - Link to v9: https://lore.kernel.org/all/20260303074423.172680-1-yangfeng59949@163.com/ Changes in v9: - Use dst_hold() and skb_dst_set(). Skip !skb_dst check. Move all changes into the IS_ENABLED(CONFIG_IPV6). Use #if IS_ENABLED(CONFIG_IPV6); otherwise, a compilation error will occur when ipv6 is not enabled. Thanks, Martin KaFai Lau. - Link to v8: https://lore.kernel.org/all/20260227082133.96951-1-yangfeng59949@163.com/ Changes in v8: - set ret to an error code before goto out. - Link to v7: https://lore.kernel.org/all/20260226095156.117996-1-yangfeng59949@163.com/ Changes in v7: - Use ip6_null_entry to avoid. Thanks, Martin KaFai Lau. Changes in v6: - Modify the bpf_lwt_xmit_push_encap function and add selftests for it. Thanks, Martin KaFai Lau. - Link to v5: https://lore.kernel.org/all/20260210090657.86977-1-yangfeng59949@163.com/ Changes in v5: - Refer to the bpf_lwt_xmit_reroute function to configure the dst parameter. - Link to v4: https://lore.kernel.org/all/20260209015111.28144-1-yangfeng59949@163.com/ Changes in v4: - add rcu lock - Link to v3: https://lore.kernel.org/all/20260206055113.63476-1-yangfeng59949@163.com/ Changes in v3: - use dst_init - Link to v2: https://lore.kernel.org/all/20260205092227.126665-1-yangfeng59949@163.com/ Changes in v2: - Link to v1: https://lore.kernel.org/all/20260127084520.13890-1-luyun_611@163.com/ ==================== Link: https://patch.msgid.link/20260304094429.168521-1-yangfeng59949@163.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
2026-06-04 12:35:52 +02:00 · 2026-03-04 12:46:47 -08:00 · 2026-03-04 12:46:47 -08:00 · 4faa189380
commit 4faa189380
parent 05c9b2eda8 e8ae16d65a
3 changed files with 46 additions and 0 deletions
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@ -1156,6 +1156,21 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
 		skb->ip_summed = CHECKSUM_COMPLETE;
 	}

+	if (prog->type == BPF_PROG_TYPE_LWT_XMIT) {
+		if (!ipv6_bpf_stub) {
+			pr_warn_once("Please test this program with the IPv6 module loaded\n");
+			ret = -EOPNOTSUPP;
+			goto out;
+		}
+#if IS_ENABLED(CONFIG_IPV6)
+		/* For CONFIG_IPV6=n, ipv6_bpf_stub is NULL which is
+		 * handled by the above if statement.
+		 */
+		dst_hold(&net->ipv6.ip6_null_entry->dst);
+		skb_dst_set(skb, &net->ipv6.ip6_null_entry->dst);
+#endif
+	}
+
 	ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false);
 	if (ret)
 		goto out;
--- a/tools/testing/selftests/bpf/prog_tests/lwt_misc.c
+++ b/tools/testing/selftests/bpf/prog_tests/lwt_misc.c
@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "lwt_misc.skel.h"
+
+void test_lwt_misc(void)
+{
+	RUN_TESTS(lwt_misc);
+}
--- a/tools/testing/selftests/bpf/progs/lwt_misc.c
+++ b/tools/testing/selftests/bpf/progs/lwt_misc.c
@ -0,0 +1,22 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+SEC("lwt_xmit")
+__success __retval(0)
+int test_missing_dst(struct __sk_buff *skb)
+{
+	struct iphdr iph;
+
+	__builtin_memset(&iph, 0, sizeof(struct iphdr));
+	iph.ihl = 5;
+	iph.version = 4;
+
+	bpf_lwt_push_encap(skb, BPF_LWT_ENCAP_IP, &iph, sizeof(struct iphdr));
+
+	return 0;
+}
+
+char _license[] SEC("license") = "GPL";