Re: [PATCH] netfilter: nfnetlink_osf: fix null-ptr-deref in nf_osf_ttl

Next message: Steven Rostedt: "Re: [PATCH v3] tracing/hist: bound synthetic-field strings with seq_buf"
Previous message: Chao Yu: "Re: [PATCH v2] f2fs: support to report fserror"
In reply to: Kito Xu (veritas501): "Re: [PATCH] netfilter: nfnetlink_osf: fix null-ptr-deref in nf_osf_ttl"
Next in thread: Pablo Neira Ayuso: "Re: [PATCH] netfilter: nfnetlink_osf: fix null-ptr-deref in nf_osf_ttl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pablo Neira Ayuso

Date: Tue Apr 14 2026 - 04:58:28 EST

On Tue, Apr 14, 2026 at 04:37:02PM +0800, Kito Xu (veritas501) wrote:
> From: Kito Xu <hxzene@xxxxxxxxx>
>
> Hi Pablo,
>
> On Tue, Apr 14, 2026 at 10:22:06AM +0200, Pablo Neira Ayuso wrote:
> > How could skb->dev be NULL !?
>
> skb->dev is NOT NULL. The NULL value is `in_dev` returned by
> __in_dev_get_rcu(skb->dev), because dev->ip_ptr is NULL after
> inetdev_destroy().

More detailed report helps.

> > This is run from prerouting, input and forward.
>
> Correct. The crash path is in PREROUTING on lo.
>
> > I cannot believe this, I think AI is mocking KASAN splat, if that is
> > the case, I am sorry to say, but it is too bad if you are doing this.
>
> This is a real bug with a reproducible PoC. I understand the KASAN
> output in my original patch email looked suspicious because it was
> interleaved with the PoC's stderr output (the PoC prints debug lines
> while the kernel oops scrolls by simultaneously). That was a formatting
> mistake on my part.

No need for PoC, just a bit more details is enough.

Thanks for explaining.