Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge
       [not found] <20260402070419.2291578-1-sunyiqixm@gmail.com>
@ 2026-04-06 10:48 ` Matthieu Baerts
  2026-04-06 15:36   ` Jakub Kicinski
  0 siblings, 1 reply; 4+ messages in thread
From: Matthieu Baerts @ 2026-04-06 10:48 UTC (permalink / raw)
  To: Yiqi Sun
  Cc: horms, netdev, davem, dsahern, edumazet, kuba, pabeni, Mark Brown,
	linux-next

Hello,

+cc linux-next

On 02/04/2026 09:04, Yiqi Sun wrote:
> ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
> IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
> this error pointer to dev_hold() will cause a kernel crash with
> null-ptr-deref.
> 
> Instead, silently discard the request. RFC 8335 does not appear to
> define a specific response for the case where an IPv6 interface
> identifier is syntactically valid but the implementation cannot perform
> the lookup at runtime, and silently dropping the request may safer than
> misreporting "No Such Interface".

FYI, we got a small conflict when merging 'net' in 'net-next' in the
MPTCP tree due to this patch applied in 'net':

  fde29fd93493 ("ipv4: icmp: fix null-ptr-deref in icmp_build_probe()")

and this one from 'net-next':

  d98adfbdd5c0 ("ipv4: drop ipv6_stub usage and use direct function calls")

----- Generic Message -----
The best is to avoid conflicts between 'net' and 'net-next' trees but if
they cannot be avoided when preparing patches, a note about how to fix
them is much appreciated.

The conflict has been resolved on our side [1] and the resolution we
suggest is attached to this email. Please report any issues linked to
this conflict resolution as it might be used by others. If you worked on
the mentioned patches, don't hesitate to ACK this conflict resolution.
---------------------------

Rerere cache is available in [2].

1: https://github.com/multipath-tcp/mptcp_net-next/commit/c14d8597c9a0
2: https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/d4699ea

> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index 568bd1e95d44..d294666c68d9 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c

(...)

>  bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
> @@ -1346,6 +1347,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
>  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
>  				goto send_mal_query;
>  			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);

The conflict was in the context: the commit in net-next modified this
line above, while the one in net added this block below.

> +			/*
> +			 * If IPv6 identifier lookup is unavailable, silently
> +			 * discard the request instead of misreporting NO_IF.
> +			 */
> +			if (IS_ERR(dev))
> +				return false;
> +
>  			dev_hold(dev);
>  			break;
>  #endif

----------------------- 8< -----------------------
diff --cc net/ipv4/icmp.c
index 2f4fac22d1ab,4e2a6c70dcd8..f1c715cc3800
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@@ -1342,7 -1345,14 +1342,14 @@@ bool icmp_build_probe(struct sk_buff *s
  		case ICMP_AFI_IP6:
  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
  				goto send_mal_query;
 -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
 +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+ 			/*
+ 			 * If IPv6 identifier lookup is unavailable, silently
+ 			 * discard the request instead of misreporting NO_IF.
+ 			 */
+ 			if (IS_ERR(dev))
+ 				return false;
+ 
  			dev_hold(dev);
  			break;
  #endif
----------------------- 8< -----------------------

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge
  2026-04-06 10:48 ` [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge Matthieu Baerts
@ 2026-04-06 15:36   ` Jakub Kicinski
  2026-04-06 16:10     ` Matthieu Baerts
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2026-04-06 15:36 UTC (permalink / raw)
  To: Matthieu Baerts
  Cc: Yiqi Sun, horms, netdev, davem, dsahern, edumazet, pabeni,
	Mark Brown, linux-next

On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:
>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> + 			/*
> + 			 * If IPv6 identifier lookup is unavailable, silently
> + 			 * discard the request instead of misreporting NO_IF.
> + 			 */
> + 			if (IS_ERR(dev))
> + 				return false;
> + 
>   			dev_hold(dev);
>   			break;

See my reply, AFAIU we can just delete this new check in net-next.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge
  2026-04-06 15:36   ` Jakub Kicinski
@ 2026-04-06 16:10     ` Matthieu Baerts
  2026-04-06 16:46       ` Jakub Kicinski
  0 siblings, 1 reply; 4+ messages in thread
From: Matthieu Baerts @ 2026-04-06 16:10 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Yiqi Sun, horms, netdev, davem, dsahern, edumazet, pabeni,
	Mark Brown, linux-next

Hi Jakub,

Thank you for your reply!

On 06/04/2026 17:36, Jakub Kicinski wrote:
> On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:
>>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>> + 			/*
>> + 			 * If IPv6 identifier lookup is unavailable, silently
>> + 			 * discard the request instead of misreporting NO_IF.
>> + 			 */
>> + 			if (IS_ERR(dev))
>> + 				return false;
>> + 
>>   			dev_hold(dev);
>>   			break;
> 
> See my reply, AFAIU we can just delete this new check in net-next.

Good idea.

Should this not be done in an explicit patch, rather than "hidden"
during the merge?

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge
  2026-04-06 16:10     ` Matthieu Baerts
@ 2026-04-06 16:46       ` Jakub Kicinski
  0 siblings, 0 replies; 4+ messages in thread
From: Jakub Kicinski @ 2026-04-06 16:46 UTC (permalink / raw)
  To: Matthieu Baerts
  Cc: Yiqi Sun, horms, netdev, davem, dsahern, edumazet, pabeni,
	Mark Brown, linux-next

On Mon, 6 Apr 2026 18:10:14 +0200 Matthieu Baerts wrote:
> On 06/04/2026 17:36, Jakub Kicinski wrote:
> > On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:  
> >>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> >>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> >> + 			/*
> >> + 			 * If IPv6 identifier lookup is unavailable, silently
> >> + 			 * discard the request instead of misreporting NO_IF.
> >> + 			 */
> >> + 			if (IS_ERR(dev))
> >> + 				return false;
> >> + 
> >>   			dev_hold(dev);
> >>   			break;  
> > 
> > See my reply, AFAIU we can just delete this new check in net-next.  
> 
> Good idea.
> 
> Should this not be done in an explicit patch, rather than "hidden"
> during the merge?

Dunno, it's not a huge change, feels like a good fit for a merge.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-06 16:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260402070419.2291578-1-sunyiqixm@gmail.com>
2026-04-06 10:48 ` [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge Matthieu Baerts
2026-04-06 15:36   ` Jakub Kicinski
2026-04-06 16:10     ` Matthieu Baerts
2026-04-06 16:46       ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox