Commit 1081de1a authored Apr 23, 2026 by Weiming Shi Committed by Martin KaFai Lau Apr 23, 2026

bpf: Fix NULL pointer dereference in bpf_skb_fib_lookup()



When tot_len is not provided by the user, bpf_skb_fib_lookup()
resolves the FIB result's output device via dev_get_by_index_rcu()
to check skb forwardability and fill in mtu_result. The returned
pointer is dereferenced without a NULL check. If the device is
concurrently unregistered, dev_get_by_index_rcu() returns NULL and
is_skb_forwardable() crashes at dev->flags:

 KASAN: null-ptr-deref in range
  [0x00000000000000b0-0x00000000000000b7]
 Call Trace:
  is_skb_forwardable (include/linux/netdevice.h:4365)
  bpf_skb_fib_lookup (net/core/filter.c:6446)
  bpf_prog_test_run_skb (net/bpf/test_run.c)
  __sys_bpf (kernel/bpf/syscall.c)

Add the missing NULL check, returning -ENODEV to be consistent
with how bpf_ipv4_fib_lookup() and bpf_ipv6_fib_lookup() handle
the same condition.

Fixes: 4f74fede ("bpf: Add mtu checking to FIB forwarding helper")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://patch.msgid.link/20260423183831.1325480-2-bestswngs@gmail.com

parent 6451d58a

net/core/filter.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -6473,6 +6473,8 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb,
		* against MTU of FIB lookup resulting net_device
		*/
		dev = dev_get_by_index_rcu(net, params->ifindex);
		if (unlikely(!dev))
		return -ENODEV;
		if (!is_skb_forwardable(dev, skb))
		rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;