APPLIED: [SRU][P/Q][PATCH v2 0/4] Creating a VXLAN interface with a Fan mapping causes a NULL pointer dereference

Stefan Bader stefan.bader at canonical.com
Fri Jul 4 12:54:25 UTC 2025 

On 20.06.25 22:00, Jacob Martin wrote:
> BugLink: https://bugs.launchpad.net/bugs/2113992
> 
> SRU Justification:
> 
> [Impact]
> 
> Creating a VXLAN link with a Fan map reliably results in a kernel NULL pointer dereference.
> 
> [ 1035.676861] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [ 1035.678459] #PF: supervisor read access in kernel mode
> [ 1035.679321] #PF: error_code(0x0000) - not-present page
> [ 1035.680092] PGD 0 P4D 0
> [ 1035.680509] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
> [ 1035.681179] CPU: 1 UID: 0 PID: 8470 Comm: ip Not tainted 6.14.0-15-generic #15-Ubuntu
> [ 1035.682291] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022
> ...
> 
> This affects 6.14 and newer.
> 
> [Fix]
> 
> Author: Jacob Martin <jacob.martin at canonical.com>
> Date:   Fri Jun 13 10:33:42 2025 -0500
> 
>      UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID
>      
>      BugLink: https://bugs.launchpad.net/bugs/2113992
>      
>      Before 6c11379b104e ("vxlan: Add an attribute to make VXLAN header
>      validation configurable"), IFLA_IPTUN_FAN_MAP and IFLA_VXLAN_FAN_MAP
>      shared the same integer value, allowing them to be used interchangeably
>      without issue, even though they represented attributes for different
>      link types. The introduction of IFLA_VXLAN_RESERVED_BITS led to
>      IFLA_VXLAN_FAN_MAP's integer value being incremented by 1 (33 to 34).
>      Thus the presence of attribute IFLA_VXLAN_FAN_MAP is checked but parsing
>      of the fan-map is attempted by accessing IFLA_IPTUN_FAN_MAP, causing a
>      NULL pointer dereference when creating a VXLAN device with a Fan
>      mapping.
>      
>      This is resolved by adjusting the vxlan_parse_fan_map() function to
>      access the correct IFLA_VXLAN_FAN_MAP attribute instead of
>      IFLA_IPTUN_FAN_MAP.
>      
>      Fixes: 9ce64bb8afd8 ("UBUNTU: SAUCE: fan: add VXLAN implementation")
>      Signed-off-by: Jacob Martin <jacob.martin at canonical.com>
> 
> [Test Plan]
> 
> The NULL pointer dereference can be reproduced 100% of the time with the
> following:
> # ip link add vxlan0 type vxlan dstport 0 local 192.168.0.1 id 16384000 fan-map 240.0.0.0/8:192.168.0.0/16
> 
> Thus, this can be used to easily verify the issue was resolved.
> 
> I also ran the ubuntu_fan_smoke_test autotest test after patching the
> kernel, and verified that it now passes.
> 
> [Where problems could occur]
> 
> This change affects the vxlan driver, specifically the code that parses
> an optional Ubuntu Fan configuration. Issues could manifest as
> misbehavior of the vxlan driver.
> 
> [Other notes]
> v2: include patch for Questing
> 

Applied to plucky:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250704/3b3ef68f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250704/3b3ef68f/attachment-0001.sig>

More information about the kernel-team mailing list