Commit dcb4e2231469 for kernel

commit dcb4e2231469523d20cf0a2477d68245795c205d
Author: Ricardo B. Marlière <rbm@suse.com>
Date:   Sat Mar 7 17:50:55 2026 -0300

    bpf: bpf_out_neigh_v4: Fix nd_tbl NULL dereference when IPv6 is disabled

    When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never
    initialized because inet6_init() exits before ndisc_init() is called which
    initializes it. If bpf_redirect_neigh() is called from tc with an explicit
    nexthop of nh_family == AF_INET6, bpf_out_neigh_v4() takes the AF_INET6
    branch and calls ip_neigh_gw6(), which relies on ipv6_stub->nd_tbl.

     BUG: kernel NULL pointer dereference, address: 0000000000000248
     Oops: Oops: 0000 [#1] SMP NOPTI
     RIP: 0010:skb_do_redirect+0xb93/0xf00
     Call Trace:
      <TASK>
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? __tcf_classify.constprop.0+0x83/0x160
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? tcf_classify+0x2b/0x50
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? tc_run+0xb8/0x120
      ? srso_alias_return_thunk+0x5/0xfbef5
      __dev_queue_xmit+0x6fa/0x1000
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? srso_alias_return_thunk+0x5/0xfbef5
      ? alloc_skb_with_frags+0x58/0x200
      packet_sendmsg+0x10da/0x1700
      ? srso_alias_return_thunk+0x5/0xfbef5
      __sys_sendto+0x1f3/0x220
      __x64_sys_sendto+0x24/0x30
      do_syscall_64+0x101/0xf80
      ? exc_page_fault+0x6e/0x170
      ? srso_alias_return_thunk+0x5/0xfbef5
      entry_SYSCALL_64_after_hwframe+0x77/0x7f
      </TASK>

    Fix this by adding an early check in the AF_INET6 branch of
    bpf_out_neigh_v4(). If IPv6 is disabled, unlock RCU and drop the packet.

    Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
    Fixes: ba452c9e996d ("bpf: Fix bpf_redirect_neigh helper api to support supplying nexthop")
    Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-3-e2677e85628c@suse.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/filter.c b/net/core/filter.c
index a77d23fe2359..fd38b6f8b7a8 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2335,6 +2335,10 @@ static int bpf_out_neigh_v4(struct net *net, struct sk_buff *skb,

 		neigh = ip_neigh_for_gw(rt, skb, &is_v6gw);
 	} else if (nh->nh_family == AF_INET6) {
+		if (unlikely(!ipv6_mod_enabled())) {
+			rcu_read_unlock();
+			goto out_drop;
+		}
 		neigh = ip_neigh_gw6(dev, &nh->ipv6_nh);
 		is_v6gw = true;
 	} else if (nh->nh_family == AF_INET) {