Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5366027ybl; Tue, 27 Aug 2019 03:36:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqzfewBDROk9VnVNU1XYpRnwr4eZDuU1/p7cMm0wK04HqwiLrNWkKfyijZnb56QNZHNLtHWw X-Received: by 2002:a17:902:bb0d:: with SMTP id l13mr23600868pls.176.1566902214992; Tue, 27 Aug 2019 03:36:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566902214; cv=none; d=google.com; s=arc-20160816; b=VZb/DtIznm/7jwJ9oC2G7ugu2U92qyMf8b37TLGPZv7vckf/l7c/FDBjux2oKHTa7k c1s28sVITsEmTwxnQMvr/nX3gDvvamIa5ONai5baC8NWOzfkfiG916gSnAZgSwK+DVuK jiTDUJazeunS25iOdY14J6EZVR7Q/TibekUtifHdDxeGcQECQtSGF4Es1mdrFg6tkV21 EOrDIDCFOh2iPvDzElfCLdtP715XlWQz1PSFybpZavXlI0qHBhj/SX4hfwg58S53iUQH 1rzDh+ezwQYCwBhwtHupO6jCMG59fVi1VpcFbk6LpSHuKuxjG8R9lztTteWkdcaCGUWn nBsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=aqqlTClo+IDPfC2IXzKubLhPNy4fbgl719jzRvklr2c=; b=akVdQY41c9Aw3BZBVzRVV3QjKOMkL7OtwSEfD6PlFuaKwgpilRgaqAUX0U0s5NCRGB cpl6RDEMKEuqoaQaeK3dMnhfZnA9Ow2G+C4/Vt/MZ2mHs58EV5jmmXLcWmJv+uNj8sAK Zx/7QfszmX9mHsoe1ZCRzOkKE9bQC7l8by23a8ARhV2qDXVG4uBOcr4vq0pny0tQlI2a UZFd4+xHvxbBW9w5feFLaU9JoZvfstHBWccfIJuPNDQFPFo5tl/ImqQ5BsU1qVGjuE8/ /1QvOwepyAhpcJHNdafCuGuS9QF5+u0JvKAG5g/BzKSkOFmAMRP5dBDjsQnOSnTpXJOi xT5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9si12074783plp.329.2019.08.27.03.36.38; Tue, 27 Aug 2019 03:36:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728810AbfH0Kfs (ORCPT + 99 others); Tue, 27 Aug 2019 06:35:48 -0400 Received: from correo.us.es ([193.147.175.20]:44726 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726039AbfH0Kfs (ORCPT ); Tue, 27 Aug 2019 06:35:48 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 34D2167BB9 for ; Tue, 27 Aug 2019 12:35:43 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 28939DA8E8 for ; Tue, 27 Aug 2019 12:35:43 +0200 (CEST) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 1C64EB7FF6; Tue, 27 Aug 2019 12:35:43 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id E4FE1DA4D0; Tue, 27 Aug 2019 12:35:40 +0200 (CEST) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Tue, 27 Aug 2019 12:35:40 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (sys.soleta.eu [212.170.55.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id B98A042EE395; Tue, 27 Aug 2019 12:35:40 +0200 (CEST) Date: Tue, 27 Aug 2019 12:35:41 +0200 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Leonardo Bras Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI Subject: Re: [PATCH v2 1/1] netfilter: nf_tables: fib: Drop IPV6 packages if IPv6 is disabled on boot Message-ID: <20190827103541.vzwqwg4jlbuzajxu@salvia> References: <20190821141505.2394-1-leonardo@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190821141505.2394-1-leonardo@linux.ibm.com> User-Agent: NeoMutt/20170113 (1.7.2) X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 21, 2019 at 11:15:06AM -0300, Leonardo Bras wrote: > If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up > dealing with a IPv6 package, it causes a kernel panic in > fib6_node_lookup_1(), crashing in bad_page_fault. Q: How do you get to see IPv6 packets if IPv6 module is disable? > The panic is caused by trying to deference a very low address (0x38 > in ppc64le), due to ipv6.fib6_main_tbl = NULL. > BUG: Kernel NULL pointer dereference at 0x00000038 > > Fix this behavior by dropping IPv6 packages if !ipv6_mod_enabled(). I'd suggest: s/package/packet/ [...] > diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c > index 7ece86afd079..75acc417e2ff 100644 > --- a/net/ipv6/netfilter/nft_fib_ipv6.c > +++ b/net/ipv6/netfilter/nft_fib_ipv6.c > @@ -125,6 +125,11 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs, > u32 *dest = ®s->data[priv->dreg]; > struct ipv6hdr *iph, _iph; > > + if (!ipv6_mod_enabled()) { > + regs->verdict.code = NF_DROP; NFT_BREAK instead to stop evaluating this rule, this results in a mismatch, so you let the user decide what to do with packets that do not match your policy. The drop case at the bottom of the fib eval function never actually never happens.