Re: [PATCH 09/11 net-next v5] bpf: remove ipv6_bpf_stub completely and use direct function calls

[Martin KaFai Lau]

On 3/25/26 1:29 PM, Fernando Fernandez Mancera wrote:
> On 3/25/26 8:11 PM, Martin KaFai Lau wrote:
> > On 3/25/26 5:08 AM, Fernando Fernandez Mancera wrote:
> > > As IPv6 is built-in only, the ipv6_bpf_stub can be removed completely.
> > >
> > > Convert all ipv6_bpf_stub usage to direct function calls instead. The
> > > fallback functions introduced previously will prevent linkage errors
> > > when CONFIG_IPV6 is disabled.
> >
> > Thanks for working on this.
> >
> > > @@ -6221,8 +6215,8 @@ static int bpf_ipv4_fib_lookup(struct net *net, 
> > > struct bpf_fib_lookup *params,
> > >       if (likely(nhc->nhc_gw_family != AF_INET6))
> > >           neigh = __ipv4_neigh_lookup_noref(dev,
> > >                             (__force u32)params->ipv4_dst);
> > > -    else
> > > -        neigh = __ipv6_neigh_lookup_noref_stub(dev, params->ipv6_dst);
> > > +    else if (IS_ENABLED(CONFIG_IPV6))
> > > +        neigh = __ipv6_neigh_lookup_noref(dev, params->ipv6_dst);
> >
> > Should it be ipv6_mod_enabled() instead of IS_ENABLED(CONFIG_IPV6)?
> > Is nd_tbl always initialized?
>
> Hi Martin,
>
> I don't think so. The IS_ENABLED(CONFIG_IPV6) check here is just to 
> prevent an undefined reference when compiling with CONFIG_IPV6=n. Note 
> that this code isn't reachable when ipv6.disable=1 is set during 
> booting, as it would have crashed even before this change because 
> ipv6_stub->nd_tbl is NULL if the IPV6 is disabled since booting.
>
> We addressed the vulnerable paths already during this series:
>
> https://lore.kernel.org/netdev/20260307-net-nd_tbl_fixes-v4-0- 
> e2677e85628c@xxxxxxxx/#
>
> > >       if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
> > >           return BPF_FIB_LKUP_RET_NO_NEIGH;
> > > @@ -6290,12 +6284,11 @@ static int bpf_ipv6_fib_lookup(struct net 
> > > *net, struct bpf_fib_lookup *params,
> > >               params->tbid = 0;
> > >           }
> > > -        tb = ipv6_stub->fib6_get_table(net, tbid);
> > > +        tb = fib6_get_table(net, tbid);
> > >           if (unlikely(!tb))
> > >               return BPF_FIB_LKUP_RET_NOT_FWDED;
> > > -        err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
> > > -                           strict);
> > > +        err = fib6_table_lookup(net, tb, oif, &fl6, &res, strict);
> >
> > A similar question here and other changes in the patch.
> >
> > I think bpf_ipv6_fib_lookup() is fine because the earlier
> > "!idev" check should fail when ipv6 is disabled at boot time?
>
> Yes, the !idev check prevents us to reach this path so it is safe to 
> call fib6_table_lookup().
>
> While working on the series I have been trying to exploit these paths 
> (this one and other changes in the series), so far I didn't find anything.

Thanks for the explanation.

Reviewed-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>