[Bug 2113992] Re: Creating a VXLAN interface with a Fan mapping causes a NULL pointer dereference caught by ubuntu_fan_smoke_test:sut-scan

Jacob Martin Fri, 13 Jun 2025 15:05:35 -0700

SRU Justification:

[Impact]


Creating a VXLAN link with a Fan map reliably results in a kernel NULL
pointer dereference.

[ 1035.676861] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1035.678459] #PF: supervisor read access in kernel mode
[ 1035.679321] #PF: error_code(0x0000) - not-present page
[ 1035.680092] PGD 0 P4D 0 
[ 1035.680509] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[ 1035.681179] CPU: 1 UID: 0 PID: 8470 Comm: ip Not tainted 6.14.0-15-generic 
#15-Ubuntu
[ 1035.682291] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS 
unknown 2/2/2022
...

This affects 6.14 kernels only.

[Fix]

Author: Jacob Martin <jacob.mar...@canonical.com>
Date:   Fri Jun 13 10:33:42 2025 -0500

    UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute 
ID
    
    BugLink: https://bugs.launchpad.net/bugs/2113992
    
    Before 6c11379b104e ("vxlan: Add an attribute to make VXLAN header
    validation configurable"), IFLA_IPTUN_FAN_MAP and IFLA_VXLAN_FAN_MAP
    shared the same integer value, allowing them to be used interchangeably
    without issue, even though they represented attributes for different
    link types. The introduction of IFLA_VXLAN_RESERVED_BITS led to
    IFLA_VXLAN_FAN_MAP's integer value being incremented by 1 (33 to 34).
    Thus the presence of attribute IFLA_VXLAN_FAN_MAP is checked but parsing
    of the fan-map is attempted by accessing IFLA_IPTUN_FAN_MAP, causing a
    NULL pointer dereference when creating a VXLAN device with a Fan
    mapping.
    
    This is resolved by adjusting the vxlan_parse_fan_map() function to
    access the correct IFLA_VXLAN_FAN_MAP attribute instead of
    IFLA_IPTUN_FAN_MAP.
    
    Fixes: 9ce64bb8afd8 ("UBUNTU: SAUCE: fan: add VXLAN implementation")
    Signed-off-by: Jacob Martin <jacob.mar...@canonical.com>

[Test Plan]

The NULL pointer dereference can be reproduced 100% of the time with the
following:
# ip link add vxlan0 type vxlan dstport 0 local 192.168.0.1 id 16384000 fan-map 
240.0.0.0/8:192.168.0.0/16

Thus, this can be used to easily verify the issue was resolved.

I also ran the ubuntu_fan_smoke_test autotest test after patching the
kernel, and verified that it now passes.

[Where problems could occur]

This change affects the vxlan driver, specifically the code that parses
an optional Ubuntu Fan configuration. Issues could manifest as
misbehavior of the vxlan driver.


** Summary changed:

- NULL pointer dereference caught by ubuntu_fan_smoke_test:sut-scan
+ Creating a VXLAN interface with a Fan mapping causes a NULL pointer 
dereference caught by ubuntu_fan_smoke_test:sut-scan

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2113992

Title:
  Creating a VXLAN interface with a Fan mapping causes a NULL pointer
  dereference caught by ubuntu_fan_smoke_test:sut-scan

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113992/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2113992] Re: Creating a VXLAN interface with a Fan mapping causes a NULL pointer dereference caught by ubuntu_fan_smoke_test:sut-scan

Reply via email to