Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function

[Eric Dumazet]

On Sat, Feb 14, 2026 at 1:35 PM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
>
> On Sat, Feb 14, 2026 at 1:17 PM 冯嘉仪 <23210240148@xxxxxxxxxxxxxx> wrote:
> >
> > Dear Maintainer,
> >
> > Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
> >
> > Vulnerability Description:
> > File:  net/ipv4/nexthop.c
> > In the function nexthop_create_group, we found the following line of code:
> >
> > if (!nexthop_get(nhe)) {
> >
> > The issue arises because the nhe pointer may be passed as NULL in certain situations. The statement passes the nhe pointer to nexthop_get without any check, but nexthop_get might contain a dereference operation on the nhe pointer, which could result in a null-pointer dereference.
> >
> > Proposed Fix:
> > To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nhe pointer before attempting to pass the pointer to nexthop_get.
> >
> > Request for Review:
> > We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
> >
> > Thank you for your time and consideration.
>
> This seems legit, I am not sure why syzbot did not find it yet.
>

typo  in @nhe. Should have been

diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
index 7b9d70f9b31c7ae6b2039cb321845b852bc81a33..36c58e4d5f0044e43498ea915ee2079864fab1e2
100644
--- a/net/ipv4/nexthop.c
+++ b/net/ipv4/nexthop.c
@@ -2742,7 +2742,7 @@ static struct nexthop
*nexthop_create_group(struct net *net,
                struct nh_info *nhi;

                nhe = nexthop_find_by_id(net, entry[i].id);
-               if (!nexthop_get(nhe)) {
+               if (!nhe || !nexthop_get(nhe)) {
                        err = -ENOENT;
                        goto out_no_nh;
                }