Re: [BUG] Potential Null Pointer Dereference in nexthop_create_group Function

Next message: Greg Kroah-Hartman: "Re: [PATCH for 6.6 &amp; 6.12] LoongArch: Rework KASAN initialization for PTW-enabled systems"
Previous message: Bartosz Golaszewski: "Re: [PATCH 1/2] mfd: lpc_ich: expose the GPIO controller cell's software node"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Mon Feb 16 2026 - 05:17:38 EST

On 2/14/26 1:08 PM, 冯嘉仪 wrote:
> Dear Maintainer,
>
> Our team recently developed a null-pointer-dereference (NPD)
> vulnerability detection tool, and we used it to scan the Linux Kernel
> (version 6.9.6). After manual review, we identified a potentially
> vulnerable code snippet that could lead to a null-pointer dereference
> bug. We would appreciate your expert insight to confirm whether this
> vulnerability could indeed pose a risk to the system.
>
> Vulnerability Description:
> File: net/ipv4/nexthop.c
> In the function nexthop_create_group, we found the following line of code:
>
> if (!nexthop_get(nhe)) {
>
> The issue arises because the nhe pointer may be passed as NULL in
> certain situations. The statement passes the nhe pointer to nexthop_get
> without any check, but nexthop_get might contain a dereference operation
> on the nhe pointer, which could result in a null-pointer dereference.

Indeed even this one looks like a false positive: the id existence is
previously validated by nh_check_attr_group_rtnl().

The false positive rate in your reports strongly discourages any other
feedback; you should revisited your tool, do much better human review
and provide much more and better context information before any other post.

Thanks,

Paolo