From: sashiko-bot@kernel.org
To: "Mahe Tardy" <mahe.tardy@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v4 1/6] net: move netfilter nf_reject_fill_skb_dst to core ipv4
Date: Tue, 21 Apr 2026 11:13:20 +0000 [thread overview]
Message-ID: <20260421111320.D97D9C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260420105816.72168-2-mahe.tardy@gmail.com>
Sashiko AI review found 3 potential issue(s):
- [High] NULL Pointer Dereference on `skb->dev` in exported routing helper.
- [High] Missing Header Linearization and Bounds Check causing Out-of-Bounds Read.
- [Low] Misleading function name implies read-only operation while mutating SKB state.
--
commit d9b5a7cd6924dc358237afb642ea1eb45a09213a
Author: Mahe Tardy <mahe.tardy@gmail.com>
net: move netfilter nf_reject_fill_skb_dst to core ipv4
This patch moves and renames nf_reject_fill_skb_dst to
ip_route_reply_fetch_dst in ipv4/route.c to allow reuse by BPF kfuncs.
It also inlines the nf_ip_route wrapper around ip_route_output_key.
[ ... ]
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index bc1296f0ea69b..7091ef9360737 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -2945,6 +2945,21 @@ struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
> }
> EXPORT_SYMBOL_GPL(ip_route_output_flow);
>
> +int ip_route_reply_fetch_dst(struct sk_buff *skb)
This isn't a bug, but does the name ip_route_reply_fetch_dst imply a read-only
operation? Since it mutates the SKB by setting the destination via
skb_dst_set(), could this lead to callers accidentally overwriting and
leaking existing destinations?
Would a name like ip_route_reply_fill_skb_dst better reflect its side effects?
> +{
> + struct rtable *rt;
> + struct flowi4 fl4 = {
> + .daddr = ip_hdr(skb)->saddr
Can this lead to an out-of-bounds read?
Now that this is exported for BPF kfuncs, it can be reached from early
hooks like TC ingress where the IPv4 header might not be linearized yet.
If a malformed packet contains less than sizeof(struct iphdr) bytes of
linear data, does accessing ->saddr require validation via
pskb_may_pull() or similar?
> + };
> +
> + rt = ip_route_output_key(dev_net(skb->dev), &fl4);
Can skb->dev be NULL here?
While safe in its original netfilter context, a BPF_PROG_TYPE_NETFILTER
program attached to the NF_INET_LOCAL_OUT hook will receive locally
generated SKBs before skb->dev is assigned (e.g., in __ip_local_out before
ip_output).
Does dev_net(skb->dev) need a check to prevent a kernel panic when called
from such contexts?
> + if (IS_ERR(rt))
> + return PTR_ERR(rt);
> + skb_dst_set(skb, &rt->dst);
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(ip_route_reply_fetch_dst);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260420105816.72168-1-mahe.tardy@gmail.com?part=1
next prev parent reply other threads:[~2026-04-21 11:13 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 10:26 [PATCH bpf-next v1 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-10 10:26 ` [PATCH bpf-next v1 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-10 10:26 ` [PATCH bpf-next v1 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-10 22:02 ` kernel test robot
2025-07-10 10:26 ` [PATCH bpf-next v1 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-10 16:07 ` Alexei Starovoitov
2025-07-11 10:57 ` Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v1 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-25 18:53 ` [PATCH bpf-next v2 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-27 1:49 ` kernel test robot
2025-07-28 9:43 ` [PATCH bpf-next v3 0/4] bpf: add icmp_send_unreach kfunc Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 1/4] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 2/4] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2025-07-28 9:43 ` [PATCH bpf-next v3 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc Mahe Tardy
2025-07-28 20:10 ` kernel test robot
2025-07-29 1:05 ` Martin KaFai Lau
2025-07-29 10:06 ` Mahe Tardy
2025-07-29 23:13 ` Martin KaFai Lau
2025-07-28 9:43 ` [PATCH bpf-next v3 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2025-07-28 15:40 ` Yonghong Song
2025-07-28 15:59 ` Mahe Tardy
2025-07-29 1:18 ` Martin KaFai Lau
2025-07-29 9:09 ` Mahe Tardy
2025-07-29 23:27 ` Martin KaFai Lau
2025-07-30 0:01 ` Martin KaFai Lau
2025-07-30 0:32 ` Martin KaFai Lau
2025-08-05 23:26 ` Jordan Rife
2025-07-29 1:21 ` [PATCH bpf-next v3 0/4] bpf: add icmp_send_unreach kfunc Martin KaFai Lau
2025-07-29 9:53 ` Mahe Tardy
2025-07-30 1:54 ` Martin KaFai Lau
2025-08-01 18:50 ` Mahe Tardy
2026-04-20 10:58 ` [PATCH bpf-next v4 0/6] " Mahe Tardy
2026-04-20 10:58 ` [PATCH bpf-next v4 1/6] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:04 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot [this message]
2026-04-20 10:58 ` [PATCH bpf-next v4 2/6] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 3/6] bpf: add bpf_icmp_send_unreach kfunc Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:07 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 4/6] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2026-04-20 11:36 ` bot+bpf-ci
2026-04-20 13:08 ` Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 5/6] selftests/bpf: add icmp_send_unreach kfunc IPv6 tests Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2026-04-20 10:58 ` [PATCH bpf-next v4 6/6] selftests/bpf: add icmp_send_unreach_recursion test Mahe Tardy
2026-04-21 11:13 ` sashiko-bot
2025-07-25 18:53 ` [PATCH bpf-next v2 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
2025-07-11 0:32 ` [PATCH bpf-next v1 3/4] bpf: add bpf_icmp_send_unreach cgroup_skb kfunc kernel test robot
2025-07-10 10:26 ` [PATCH bpf-next v1 4/4] selftests/bpf: add icmp_send_unreach kfunc tests Mahe Tardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421111320.D97D9C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=mahe.tardy@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox