ACK/Cmnt: [SRU][P][PATCH 0/1] Creating a VXLAN interface with a Fan mapping causes a NULL pointer dereference

Jacob Martin jacob.martin at canonical.com
Fri Jun 20 15:41:26 UTC 2025 

On 6/16/25 9:20 PM, Wei-Lin Chang wrote:
> On Fri, Jun 13, 2025 at 04:54:49PM -0500, Jacob Martin wrote:
>> BugLink: https://bugs.launchpad.net/bugs/2113992
> 
> In the docs "Reviewing and Applying Mailing List Patches" there
> is: "SRU justification must is written in Bug Description (of
> the LP bug), not in a comment", but I don't know if this is strictly
> enforced, so

Thanks for the note! I updated the bug description to include the SRU 
justification.

Jacob

> 
> Acked-by: Wei-Lin Chang <weilin.chang at canonical.com>
> 
>>
>> SRU Justification:
>>
>> [Impact]
>>
>> Creating a VXLAN link with a Fan map reliably results in a kernel NULL pointer dereference.
>>
>> [ 1035.676861] BUG: kernel NULL pointer dereference, address: 0000000000000000
>> [ 1035.678459] #PF: supervisor read access in kernel mode
>> [ 1035.679321] #PF: error_code(0x0000) - not-present page
>> [ 1035.680092] PGD 0 P4D 0
>> [ 1035.680509] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
>> [ 1035.681179] CPU: 1 UID: 0 PID: 8470 Comm: ip Not tainted 6.14.0-15-generic #15-Ubuntu
>> [ 1035.682291] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022
>> ...
>>
>> This affects 6.14 kernels only.
>>
>> [Fix]
>>
>> Author: Jacob Martin <jacob.martin at canonical.com>
>> Date:   Fri Jun 13 10:33:42 2025 -0500
>>
>>      UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID
>>      
>>      BugLink: https://bugs.launchpad.net/bugs/2113992
>>      
>>      Before 6c11379b104e ("vxlan: Add an attribute to make VXLAN header
>>      validation configurable"), IFLA_IPTUN_FAN_MAP and IFLA_VXLAN_FAN_MAP
>>      shared the same integer value, allowing them to be used interchangeably
>>      without issue, even though they represented attributes for different
>>      link types. The introduction of IFLA_VXLAN_RESERVED_BITS led to
>>      IFLA_VXLAN_FAN_MAP's integer value being incremented by 1 (33 to 34).
>>      Thus the presence of attribute IFLA_VXLAN_FAN_MAP is checked but parsing
>>      of the fan-map is attempted by accessing IFLA_IPTUN_FAN_MAP, causing a
>>      NULL pointer dereference when creating a VXLAN device with a Fan
>>      mapping.
>>      
>>      This is resolved by adjusting the vxlan_parse_fan_map() function to
>>      access the correct IFLA_VXLAN_FAN_MAP attribute instead of
>>      IFLA_IPTUN_FAN_MAP.
>>      
>>      Fixes: 9ce64bb8afd8 ("UBUNTU: SAUCE: fan: add VXLAN implementation")
>>      Signed-off-by: Jacob Martin <jacob.martin at canonical.com>
>>
>> [Test Plan]
>>
>> The NULL pointer dereference can be reproduced 100% of the time with the
>> following:
>> # ip link add vxlan0 type vxlan dstport 0 local 192.168.0.1 id 16384000 fan-map 240.0.0.0/8:192.168.0.0/16
>>
>> Thus, this can be used to easily verify the issue was resolved.
>>
>> I also ran the ubuntu_fan_smoke_test autotest test after patching the
>> kernel, and verified that it now passes.
>>
>> [Where problems could occur]
>>
>> This change affects the vxlan driver, specifically the code that parses
>> an optional Ubuntu Fan configuration. Issues could manifest as
>> misbehavior of the vxlan driver.
>>
>> Jacob Martin (1):
>>    UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP
>>      attribute ID
>>
>>   drivers/net/vxlan/vxlan_core.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> -- 
>> 2.43.0
>>
>>
>> -- 
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list