[PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

[PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

[Yiqi Sun]

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will cause a kernel crash with
null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to
define a specific response for the case where an IPv6 interface
identifier is syntactically valid but the implementation cannot perform
the lookup at runtime, and silently dropping the request may safer than
misreporting "No Such Interface".

Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages")
Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
---
 net/ipv4/icmp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 568bd1e95d44..d294666c68d9 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1270,7 +1270,8 @@ static enum skb_drop_reason icmp_echo(struct sk_buff *skb)
  *	Searches for net_device that matches PROBE interface identifier
  *		and builds PROBE reply message in icmphdr.
  *
- *	Returns false if PROBE responses are disabled via sysctl
+ *	Returns false if PROBE responses are disabled via sysctl or
+ *	the request should be silently discarded.
  */
 
 bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
@@ -1346,6 +1347,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
 			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
 				goto send_mal_query;
 			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+			/*
+			 * If IPv6 identifier lookup is unavailable, silently
+			 * discard the request instead of misreporting NO_IF.
+			 */
+			if (IS_ERR(dev))
+				return false;
+
 			dev_hold(dev);
 			break;
 #endif
-- 
2.34.1

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

[Jakub Kicinski]

On Thu,  2 Apr 2026 15:04:19 +0800 Yiqi Sun wrote:
> Instead, silently discard the request. RFC 8335 does not appear to
> define a specific response for the case where an IPv6 interface
> identifier is syntactically valid but the implementation cannot perform
> the lookup at runtime, and silently dropping the request may safer than
> misreporting "No Such Interface".

Well, my intuition would be to fall thru and make the check after the
switch handle error pointers. But I guess this version gives us the
opportunity to delete the just-added check on net->net-next merge so ok.

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  2 Apr 2026 15:04:19 +0800 you wrote:
> ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
> IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
> this error pointer to dev_hold() will cause a kernel crash with
> null-ptr-deref.
> 
> Instead, silently discard the request. RFC 8335 does not appear to
> define a specific response for the case where an IPv6 interface
> identifier is syntactically valid but the implementation cannot perform
> the lookup at runtime, and silently dropping the request may safer than
> misreporting "No Such Interface".
> 
> [...]

Here is the summary with links:
  - [net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
    https://git.kernel.org/netdev/net/c/fde29fd93493

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge

[Matthieu Baerts]

Hello,

+cc linux-next

On 02/04/2026 09:04, Yiqi Sun wrote:
> ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
> IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
> this error pointer to dev_hold() will cause a kernel crash with
> null-ptr-deref.
> 
> Instead, silently discard the request. RFC 8335 does not appear to
> define a specific response for the case where an IPv6 interface
> identifier is syntactically valid but the implementation cannot perform
> the lookup at runtime, and silently dropping the request may safer than
> misreporting "No Such Interface".

FYI, we got a small conflict when merging 'net' in 'net-next' in the
MPTCP tree due to this patch applied in 'net':

  fde29fd93493 ("ipv4: icmp: fix null-ptr-deref in icmp_build_probe()")

and this one from 'net-next':

  d98adfbdd5c0 ("ipv4: drop ipv6_stub usage and use direct function calls")

----- Generic Message -----
The best is to avoid conflicts between 'net' and 'net-next' trees but if
they cannot be avoided when preparing patches, a note about how to fix
them is much appreciated.

The conflict has been resolved on our side [1] and the resolution we
suggest is attached to this email. Please report any issues linked to
this conflict resolution as it might be used by others. If you worked on
the mentioned patches, don't hesitate to ACK this conflict resolution.
---------------------------

Rerere cache is available in [2].

1: https://github.com/multipath-tcp/mptcp_net-next/commit/c14d8597c9a0
2: https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/d4699ea

> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index 568bd1e95d44..d294666c68d9 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c

(...)

>  bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
> @@ -1346,6 +1347,13 @@ bool icmp_build_probe(struct sk_buff *skb, struct icmphdr *icmphdr)
>  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
>  				goto send_mal_query;
>  			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);

The conflict was in the context: the commit in net-next modified this
line above, while the one in net added this block below.

> +			/*
> +			 * If IPv6 identifier lookup is unavailable, silently
> +			 * discard the request instead of misreporting NO_IF.
> +			 */
> +			if (IS_ERR(dev))
> +				return false;
> +
>  			dev_hold(dev);
>  			break;
>  #endif

----------------------- 8< -----------------------
diff --cc net/ipv4/icmp.c
index 2f4fac22d1ab,4e2a6c70dcd8..f1c715cc3800
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@@ -1342,7 -1345,14 +1342,14 @@@ bool icmp_build_probe(struct sk_buff *s
  		case ICMP_AFI_IP6:
  			if (iio->ident.addr.ctype3_hdr.addrlen != sizeof(struct in6_addr))
  				goto send_mal_query;
 -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
 +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
+ 			/*
+ 			 * If IPv6 identifier lookup is unavailable, silently
+ 			 * discard the request instead of misreporting NO_IF.
+ 			 */
+ 			if (IS_ERR(dev))
+ 				return false;
+ 
  			dev_hold(dev);
  			break;
  #endif
----------------------- 8< -----------------------

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge

[Jakub Kicinski]

On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:
>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> + 			/*
> + 			 * If IPv6 identifier lookup is unavailable, silently
> + 			 * discard the request instead of misreporting NO_IF.
> + 			 */
> + 			if (IS_ERR(dev))
> + 				return false;
> + 
>   			dev_hold(dev);
>   			break;

See my reply, AFAIU we can just delete this new check in net-next.

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge

[Matthieu Baerts]

Hi Jakub,

Thank you for your reply!

On 06/04/2026 17:36, Jakub Kicinski wrote:
> On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:
>>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
>> + 			/*
>> + 			 * If IPv6 identifier lookup is unavailable, silently
>> + 			 * discard the request instead of misreporting NO_IF.
>> + 			 */
>> + 			if (IS_ERR(dev))
>> + 				return false;
>> + 
>>   			dev_hold(dev);
>>   			break;
> 
> See my reply, AFAIU we can just delete this new check in net-next.

Good idea.

Should this not be done in an explicit patch, rather than "hidden"
during the merge?

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH net] ipv4: icmp: fix null-ptr-deref in icmp_build_probe(): manual merge

[Jakub Kicinski]

On Mon, 6 Apr 2026 18:10:14 +0200 Matthieu Baerts wrote:
> On 06/04/2026 17:36, Jakub Kicinski wrote:
> > On Mon, 6 Apr 2026 12:48:28 +0200 Matthieu Baerts wrote:  
> >>  -			dev = ipv6_stub->ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> >>  +			dev = ipv6_dev_find(net, &iio->ident.addr.ip_addr.ipv6_addr, dev);
> >> + 			/*
> >> + 			 * If IPv6 identifier lookup is unavailable, silently
> >> + 			 * discard the request instead of misreporting NO_IF.
> >> + 			 */
> >> + 			if (IS_ERR(dev))
> >> + 				return false;
> >> + 
> >>   			dev_hold(dev);
> >>   			break;  
> > 
> > See my reply, AFAIU we can just delete this new check in net-next.  
> 
> Good idea.
> 
> Should this not be done in an explicit patch, rather than "hidden"
> during the merge?

Dunno, it's not a huge change, feels like a good fit for a merge.