Re: [PATCH net v1] net: nexthop: fix panic when IPv4 route references IPv6 nexthop

Next message: Miguel Ojeda: "Re: [PATCH 6.6 000/283] 6.6.128-rc1 review"
Previous message: David Heidelberg: "Re: [PATCH 00/10] Input: support for STM FTS5"
In reply to: David Ahern: "Re: [PATCH net v1] net: nexthop: fix panic when IPv4 route references IPv6 nexthop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Ahern

Date: Sun Mar 01 2026 - 13:11:24 EST

On 2/28/26 6:57 PM, Jiayuan Chen wrote:
> The crash actually only happens with loopback nexthops, e.g.:
>
> ip nexthop add id 100 via fe80::1 dev lo
>
> In fib6_nh_init(), nexthop objects always have fc_dst=:: (no
> destination prefix), so fib6_is_reject() returns true for any
> nexthop using loopback device. This causes it to skip
> fib_nh_common_init(), leaving nhc_pcpu_rth_output, nhc_exceptions
> and nhc_rth_input all NULL. When an IPv4 route later references
> this nexthop, __mkroute_output() hits raw_cpu_ptr(NULL) and crashes.
>
> The simplest fix is just allocating nhc_pcpu_rth_output in the
> reject path of fib6_nh_init(). The release path already handles
> it correctly.

should have read this before that last response. fib_nh_common_init
exists to avoid putting ipv4 logic in ipv6 code, so your proposed patch
is wrong.

Perhaps the better change is to not use fib6_is_reject in fib6_nh_init
or relax the loopback check or move the jump label pcpu_alloc to still
call fib_nh_common_init.

Also, a test should be added to the nexthops test for this case.