Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

From: Matthieu Baerts <matttbe@kernel.org>
To: Yiqi Sun <sunyiqixm@gmail.com>
Cc: horms@kernel.org, netdev@vger.kernel.org, davem@davemloft.net,
	dsahern@kernel.org, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, Mark Brown <broonie@kernel.org>,
	linux-next@vger.kernel.org
Subject: Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge
Date: Mon, 6 Apr 2026 12:48:28 +0200	[thread overview]
Message-ID: <c7df7e27-992e-4973-b6fb-63cdb7b40158@kernel.org> (raw)
In-Reply-To: <20260402070419.2291578-1-sunyiqixm@gmail.com>

Hello,

+cc linux-next

On 02/04/2026 09:04, Yiqi Sun wrote:
> ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
> IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
> this error pointer to dev_hold() will cause a kernel crash with
> null-ptr-deref.
> 
> Instead, silently discard the request. RFC 8335 does not appear to
> define a specific response for the case where an IPv6 interface
> identifier is syntactically valid but the implementation cannot perform
> the lookup at runtime, and silently dropping the request may safer than
> misreporting "No Such Interface".

FYI, we got a small conflict when merging 'net' in 'net-next' in the
MPTCP tree due to this patch applied in 'net':

  fde29fd93493 ("ipv4: icmp: fix null-ptr-deref in icmp_build_probe()")

and this one from 'net-next':

  d98adfbdd5c0 ("ipv4: drop ipv6_stub usage and use direct function calls")

----- Generic Message -----
The best is to avoid conflicts between 'net' and 'net-next' trees but if
they cannot be avoided when preparing patches, a note about how to fix
them is much appreciated.

The conflict has been resolved on our side [1] and the resolution we
suggest is attached to this email. Please report any issues linked to
this conflict resolution as it might be used by others. If you worked on
the mentioned patches, don't hesitate to ACK this conflict resolution.
---------------------------

Rerere cache is available in [2].

1: https://github.com/multipath-tcp/mptcp_net-next/commit/c14d8597c9a0
2: https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/d4699ea

> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index 568bd1e95d44..d294666c68d9 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c

(...)

>  bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
> @@ -1346,6 +1347,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
>  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
>  				goto send_mal_query;
>  			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);

The conflict was in the context: the commit in net-next modified this
line above, while the one in net added this block below.

> +			/*
> +			 * If IPv6 identifier lookup is unavailable, silently
> +			 * discard the request instead of misreporting NO_IF.
> +			 */
> +			if (IS_ERR(dev))
> +				return false;
> +
>  			dev_hold(dev);
>  			break;
>  #endif

----------------------- 8< -----------------------
diff --cc net/ipv4/icmp.c
index 2f4fac22d1ab,4e2a6c70dcd8..f1c715cc3800
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@@ -1342,7 -1345,14 +1342,14 @@@ bool icmp_build_probe(struct sk_buff *s
  		case ICMP_AFI_IP6:
  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
  				goto send_mal_query;
 -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
 +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+ 			/*
+ 			 * If IPv6 identifier lookup is unavailable, silently
+ 			 * discard the request instead of misreporting NO_IF.
+ 			 */
+ 			if (IS_ERR(dev))
+ 				return false;
+ 
  			dev_hold(dev);
  			break;
  #endif
----------------------- 8< -----------------------

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

next      parent reply	other threads:[~2026-04-06 10:48 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260402070419.2291578-1-sunyiqixm@gmail.com>
2026-04-06 10:48 ` Matthieu Baerts [this message]
2026-04-06 15:36   ` [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge Jakub Kicinski
2026-04-06 16:10     ` Matthieu Baerts
2026-04-06 16:46       ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c7df7e27-992e-4973-b6fb-63cdb7b40158@kernel.org \
    --to=matttbe@kernel.org \
    --cc=broonie@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sunyiqixm@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox