From: Fernando Fernandez Mancera <fmancera@suse.de>
To: Martin KaFai Lau <martin.lau@linux.dev>
Cc: "Ricardo B. Marlière" <rbm@suse.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
"David Ahern" <dsahern@kernel.org>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Simon Horman" <horms@kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"John Fastabend" <john.fastabend@gmail.com>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
"Ido Schimmel" <idosch@nvidia.com>,
"Guillaume Nault" <gnault@redhat.com>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH 09/11 net-next v5] bpf: remove ipv6_bpf_stub completely and use direct function calls
Date: Wed, 25 Mar 2026 21:29:53 +0100 [thread overview]
Message-ID: <99c37135-a1cc-4eb9-a910-ca38e129b5b0@suse.de> (raw)
In-Reply-To: <1ff47530-44ee-4012-a013-0202182de208@linux.dev>
On 3/25/26 8:11 PM, Martin KaFai Lau wrote:
> On 3/25/26 5:08 AM, Fernando Fernandez Mancera wrote:
>> As IPv6 is built-in only, the ipv6_bpf_stub can be removed completely.
>>
>> Convert all ipv6_bpf_stub usage to direct function calls instead. The
>> fallback functions introduced previously will prevent linkage errors
>> when CONFIG_IPV6 is disabled.
>
> Thanks for working on this.
>
>> @@ -6221,8 +6215,8 @@ static int bpf_ipv4_fib_lookup(struct net *net,
>> struct bpf_fib_lookup *params,
>> if (likely(nhc->nhc_gw_family != AF_INET6))
>> neigh = __ipv4_neigh_lookup_noref(dev,
>> (__force u32)params->ipv4_dst);
>> - else
>> - neigh = __ipv6_neigh_lookup_noref_stub(dev, params->ipv6_dst);
>> + else if (IS_ENABLED(CONFIG_IPV6))
>> + neigh = __ipv6_neigh_lookup_noref(dev, params->ipv6_dst);
>
> Should it be ipv6_mod_enabled() instead of IS_ENABLED(CONFIG_IPV6)?
> Is nd_tbl always initialized?
>
Hi Martin,
I don't think so. The IS_ENABLED(CONFIG_IPV6) check here is just to
prevent an undefined reference when compiling with CONFIG_IPV6=n. Note
that this code isn't reachable when ipv6.disable=1 is set during
booting, as it would have crashed even before this change because
ipv6_stub->nd_tbl is NULL if the IPV6 is disabled since booting.
We addressed the vulnerable paths already during this series:
https://lore.kernel.org/netdev/20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@suse.com/#
>> if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
>> return BPF_FIB_LKUP_RET_NO_NEIGH;
>> @@ -6290,12 +6284,11 @@ static int bpf_ipv6_fib_lookup(struct net
>> *net, struct bpf_fib_lookup *params,
>> params->tbid = 0;
>> }
>> - tb = ipv6_stub->fib6_get_table(net, tbid);
>> + tb = fib6_get_table(net, tbid);
>> if (unlikely(!tb))
>> return BPF_FIB_LKUP_RET_NOT_FWDED;
>> - err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
>> - strict);
>> + err = fib6_table_lookup(net, tb, oif, &fl6, &res, strict);
>
> A similar question here and other changes in the patch.
>
> I think bpf_ipv6_fib_lookup() is fine because the earlier
> "!idev" check should fail when ipv6 is disabled at boot time?
Yes, the !idev check prevents us to reach this path so it is safe to
call fib6_table_lookup().
While working on the series I have been trying to exploit these paths
(this one and other changes in the series), so far I didn't find anything.
Thanks for the review!
Fernando.
>
>> } else {
>> if (flags & BPF_FIB_LOOKUP_MARK)
>> fl6.flowi6_mark = params->mark;
>> @@ -6305,7 +6298,7 @@ static int bpf_ipv6_fib_lookup(struct net *net,
>> struct bpf_fib_lookup *params,
>> fl6.flowi6_tun_key.tun_id = 0;
>> fl6.flowi6_uid = sock_net_uid(net, NULL);
>> - err = ipv6_stub->fib6_lookup(net, oif, &fl6, &res, strict);
>> + err = fib6_lookup(net, oif, &fl6, &res, strict);
>> }
>> if (unlikely(err || IS_ERR_OR_NULL(res.f6i) ||
>> @@ -6326,11 +6319,11 @@ static int bpf_ipv6_fib_lookup(struct net
>> *net, struct bpf_fib_lookup *params,
>> return BPF_FIB_LKUP_RET_NOT_FWDED;
>> }
>> - ipv6_stub->fib6_select_path(net, &res, &fl6, fl6.flowi6_oif,
>> - fl6.flowi6_oif != 0, NULL, strict);
>> + fib6_select_path(net, &res, &fl6, fl6.flowi6_oif,
>> + fl6.flowi6_oif != 0, NULL, strict);
>> if (check_mtu) {
>> - mtu = ipv6_stub->ip6_mtu_from_fib6(&res, dst, src);
>> + mtu = ip6_mtu_from_fib6(&res, dst, src);
>> if (params->tot_len > mtu) {
>> params->mtu_result = mtu; /* union with tot_len */
>> return BPF_FIB_LKUP_RET_FRAG_NEEDED;
>> @@ -6351,9 +6344,7 @@ static int bpf_ipv6_fib_lookup(struct net *net,
>> struct bpf_fib_lookup *params,
>> if (res.f6i->fib6_prefsrc.plen) {
>> *src = res.f6i->fib6_prefsrc.addr;
>> } else {
>> - err = ipv6_bpf_stub->ipv6_dev_get_saddr(net, dev,
>> - &fl6.daddr, 0,
>> - src);
>> + err = ipv6_dev_get_saddr(net, dev, &fl6.daddr, 0, src);
>> if (err)
>> return BPF_FIB_LKUP_RET_NO_SRC_ADDR;
>> }
>> @@ -6365,7 +6356,7 @@ static int bpf_ipv6_fib_lookup(struct net *net,
>> struct bpf_fib_lookup *params,
>> /* xdp and cls_bpf programs are run in RCU-bh so
>> rcu_read_lock_bh is
>> * not needed here.
>> */
>> - neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
>> + neigh = __ipv6_neigh_lookup_noref(dev, dst);
>> if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
>> return BPF_FIB_LKUP_RET_NO_NEIGH;
>> memcpy(params->dmac, neigh->ha, ETH_ALEN);
>> @@ -6900,11 +6891,10 @@ static struct sock *sk_lookup(struct net *net,
>> struct bpf_sock_tuple *tuple,
>> src6, tuple->ipv6.sport,
>> dst6, ntohs(tuple->ipv6.dport),
>> dif, sdif, &refcounted);
>> - else if (likely(ipv6_bpf_stub))
>> - sk = ipv6_bpf_stub->udp6_lib_lookup(net,
>> - src6, tuple->ipv6.sport,
>> - dst6, tuple->ipv6.dport,
>> - dif, sdif, NULL);
>> + else if (likely(ipv6_mod_enabled()))
>> + sk = __udp6_lib_lookup(net, src6, tuple->ipv6.sport,
>> + dst6, tuple->ipv6.dport,
>> + dif, sdif, NULL);
>> #endif
>> }
>> diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
>> index 9f40be0c3e71..f71ef82a5f3d 100644
>> --- a/net/core/lwt_bpf.c
>> +++ b/net/core/lwt_bpf.c
>> @@ -13,7 +13,6 @@
>> #include <net/gre.h>
>> #include <net/ip.h>
>> #include <net/ip6_route.h>
>> -#include <net/ipv6_stubs.h>
>> struct bpf_lwt_prog {
>> struct bpf_prog *prog;
>> @@ -103,7 +102,12 @@ static int bpf_lwt_input_reroute(struct sk_buff
>> *skb)
>> dev_put(dev);
>> } else if (skb->protocol == htons(ETH_P_IPV6)) {
>> skb_dst_drop(skb);
>> - err = ipv6_stub->ipv6_route_input(skb);
>> + if (IS_ENABLED(CONFIG_IPV6)) {
>> + ip6_route_input(skb);
>> + err = skb_dst(skb)->error;
>> + } else {
>> + err = -EAFNOSUPPORT;
>> + }
>> } else {
>> err = -EAFNOSUPPORT;
>> }
>> @@ -233,7 +237,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
>> fl6.daddr = iph6->daddr;
>> fl6.saddr = iph6->saddr;
>> - dst = ipv6_stub->ipv6_dst_lookup_flow(net, skb->sk, &fl6, NULL);
>> + dst = ip6_dst_lookup_flow(net, skb->sk, &fl6, NULL);
>> if (IS_ERR(dst)) {
>> err = PTR_ERR(dst);
>> goto err;
>> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
>> index bb29b29fdcfb..07ae6ea7743a 100644
>> --- a/net/ipv6/af_inet6.c
>> +++ b/net/ipv6/af_inet6.c
>> @@ -264,8 +264,8 @@ static int inet6_create(struct net *net, struct
>> socket *sock, int protocol,
>> goto out;
>> }
>> -static int __inet6_bind(struct sock *sk, struct sockaddr_unsized
>> *uaddr, int addr_len,
>> - u32 flags)
>> +int __inet6_bind(struct sock *sk, struct sockaddr_unsized *uaddr, int
>> addr_len,
>> + u32 flags)
>> {
>> struct sockaddr_in6 *addr = (struct sockaddr_in6 *)uaddr;
>> struct inet_sock *inet = inet_sk(sk);
>> @@ -1032,14 +1032,6 @@ static const struct ipv6_stub ipv6_stub_impl = {
>> .ip6_xmit = ip6_xmit,
>> };
>> -static const struct ipv6_bpf_stub ipv6_bpf_stub_impl = {
>> - .inet6_bind = __inet6_bind,
>> - .udp6_lib_lookup = __udp6_lib_lookup,
>> - .ipv6_setsockopt = do_ipv6_setsockopt,
>> - .ipv6_getsockopt = do_ipv6_getsockopt,
>> - .ipv6_dev_get_saddr = ipv6_dev_get_saddr,
>> -};
>> -
>> static int __init inet6_init(void)
>> {
>> struct list_head *r;
>> @@ -1199,7 +1191,6 @@ static int __init inet6_init(void)
>> /* ensure that ipv6 stubs are visible only after ipv6 is ready */
>> wmb();
>> ipv6_stub = &ipv6_stub_impl;
>> - ipv6_bpf_stub = &ipv6_bpf_stub_impl;
>> out:
>> return err;
>
next prev parent reply other threads:[~2026-03-25 20:30 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 12:08 [PATCH 00/11 net-next v5] Convert CONFIG_IPV6 to built-in and remove stubs Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 01/11 net-next v5] ipv6: convert CONFIG_IPV6 to built-in only and clean up Kconfigs Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 02/11 net-next v5] net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 03/11 net-next v5] ipv6: replace IS_BUILTIN(CONFIG_IPV6) with IS_ENABLED(CONFIG_IPV6) Fernando Fernandez Mancera
2026-03-25 17:33 ` Martin KaFai Lau
2026-03-25 12:08 ` [PATCH 04/11 net-next v5] ipv6: remove dynamic ICMPv6 sender registration infrastructure Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 05/11 net-next v5] ipv6: prepare headers for ipv6_stub removal Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 06/11 net-next v5] drivers: net: drop ipv6_stub usage and use direct function calls Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 07/11 net-next v5] ipv4: " Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 08/11 net-next v5] net: convert remaining ipv6_stub users to " Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 09/11 net-next v5] bpf: remove ipv6_bpf_stub completely and use " Fernando Fernandez Mancera
2026-03-25 19:11 ` Martin KaFai Lau
2026-03-25 20:29 ` Fernando Fernandez Mancera [this message]
2026-03-25 21:36 ` Martin KaFai Lau
2026-03-25 22:40 ` David Ahern
2026-03-25 23:41 ` Fernando Fernandez Mancera
2026-03-26 16:27 ` David Ahern
2026-03-25 12:08 ` [PATCH 10/11 net-next v5] ipv6: remove ipv6_stub infrastructure completely Fernando Fernandez Mancera
2026-03-25 12:08 ` [PATCH 11/11 net-next v5] netfilter: remove nf_ipv6_ops and use direct function calls Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99c37135-a1cc-4eb9-a910-ca38e129b5b0@suse.de \
--to=fmancera@suse.de \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=gnault@redhat.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rbm@suse.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox