Commit d56b5d163458 for kernel

commit d56b5d163458c45ab8fa1f00bd875af01b3ce28c
Author: Ricardo B. Marlière <rbm@suse.com>
Date:   Sat Mar 7 17:50:56 2026 -0300

    bpf: bpf_out_neigh_v6: Fix nd_tbl NULL dereference when IPv6 is disabled

    When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
    initialized because inet6_init() exits before ndisc_init() is called which
    initializes it. If bpf_redirect_neigh() is called with explicit AF_INET6
    nexthop parameters, __bpf_redirect_neigh_v6() can skip the IPv6 FIB lookup
    and call bpf_out_neigh_v6() directly. bpf_out_neigh_v6() then calls
    ip_neigh_gw6(), which uses ipv6_stub->nd_tbl.

     BUG: kernel NULL pointer dereference, address: 0000000000000248
     Oops: Oops: 0000 [#1] SMP NOPTI
     RIP: 0010:skb_do_redirect+0x44f/0xf40
     Call Trace:
      <TASK>
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? __tcf_classify.constprop.0+0x83/0x160
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? tcf_classify+0x2b/0x50
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? tc_run+0xb8/0x120
      ? srso_alias_return_thunk+0x5/0xfbef5
      __dev_queue_xmit+0x6fa/0x1000
      ? srso_alias_return_thunk+0x5/0xfbef5
      packet_sendmsg+0x10da/0x1700
      ? srso_alias_return_thunk+0x5/0xfbef5
      __sys_sendto+0x1f3/0x220
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x101/0xf80
      ? exc_page_fault+0x6e/0x170
      ? srso_alias_return_thunk+0x5/0xfbef5
      entry_SYSCALL_64_after_hwframe+0x77/0x7f
      </TASK>

    Fix this by adding an early check in bpf_out_neigh_v6(). If IPv6 is
    disabled, drop the packet before neighbor lookup.

    Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
    Fixes: ba452c9e996d ("bpf: Fix bpf_redirect_neigh helper api to support supplying nexthop")
    Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-4-e2677e85628c@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/filter.c b/net/core/filter.c
index fd38b6f8b7a8..78b548158fb0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2228,6 +2228,9 @@ static int bpf_out_neigh_v6(struct net *net, struct sk_buff *skb,
 			return -ENOMEM;
 	}

+	if (unlikely(!ipv6_mod_enabled()))
+		goto out_drop;
+
 	rcu_read_lock();
 	if (!nh) {
 		dst = skb_dst(skb);