@@ -203,6 +203,8 @@ static inline void nexthop_path_fib_result(struct fib_result *res, int hash)
struct nexthop *nh;
nh = nexthop_select_path(res->fi->nh, hash);
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference(nh->nh_info);
res->nhc = &nhi->fib_nhc;
}
@@ -290,7 +292,8 @@ static inline void nexthop_path_fib6_result(struct fib6_result *res, int hash)
struct nh_info *nhi;
nh = nexthop_select_path(nh, hash);
-
+ if (unlikely(!nh))
+ return;
nhi = rcu_dereference_rtnl(nh->nh_info);
if (nhi->reject_nh) {
res->fib6_type = RTN_BLACKHOLE;
nexthop_select_path() may return null if either .nh is null or the number of nexthops is 0 (rc == NULL). We need to check its return value before use to avoid deferencing a null ptr. Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info") Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> --- Could you please confirm that simply returning in the IPv6 case is ok? AFAICT it's fine, I've also tested it, but I'm a bit worried about ip6_pol_route_lookup -> ip6_create_rt_rcu and the second directly deferencing res->nh. I think rt6_device_match() should take care of that case, but I'd appreciate more eyes on that. :) include/net/nexthop.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)