Re: [PATCH 09/11 net-next v5] bpf: remove ipv6_bpf_stub completely and use direct function calls

From: Fernando Fernandez Mancera

Date: Wed Mar 25 2026 - 16:30:29 EST

On 3/25/26 8:11 PM, Martin KaFai Lau wrote:

On 3/25/26 5:08 AM, Fernando Fernandez Mancera wrote:

As IPv6 is built-in only, the ipv6_bpf_stub can be removed completely.

Convert all ipv6_bpf_stub usage to direct function calls instead. The
fallback functions introduced previously will prevent linkage errors
when CONFIG_IPV6 is disabled.

Thanks for working on this.

@@ -6221,8 +6215,8 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
      if (likely(nhc->nhc_gw_family != AF_INET6))
          neigh = __ipv4_neigh_lookup_noref(dev,
                            (__force u32)params->ipv4_dst);
-    else
-        neigh = __ipv6_neigh_lookup_noref_stub(dev, params->ipv6_dst);
+    else if (IS_ENABLED(CONFIG_IPV6))
+        neigh = __ipv6_neigh_lookup_noref(dev, params->ipv6_dst);

Should it be ipv6_mod_enabled() instead of IS_ENABLED(CONFIG_IPV6)?
Is nd_tbl always initialized?

Hi Martin,

I don't think so. The IS_ENABLED(CONFIG_IPV6) check here is just to prevent an undefined reference when compiling with CONFIG_IPV6=n. Note that this code isn't reachable when ipv6.disable=1 is set during booting, as it would have crashed even before this change because ipv6_stub->nd_tbl is NULL if the IPV6 is disabled since booting.

We addressed the vulnerable paths already during this series:

https://lore.kernel.org/netdev/20260307-net-nd_tbl_fixes-v4-0-e2677e85628c@xxxxxxxx/#

      if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
          return BPF_FIB_LKUP_RET_NO_NEIGH;
@@ -6290,12 +6284,11 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
              params->tbid = 0;
          }
-        tb = ipv6_stub->fib6_get_table(net, tbid);
+        tb = fib6_get_table(net, tbid);
          if (unlikely(!tb))
              return BPF_FIB_LKUP_RET_NOT_FWDED;
-        err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
-                           strict);
+        err = fib6_table_lookup(net, tb, oif, &fl6, &res, strict);

A similar question here and other changes in the patch.

I think bpf_ipv6_fib_lookup() is fine because the earlier
"!idev" check should fail when ipv6 is disabled at boot time?

Yes, the !idev check prevents us to reach this path so it is safe to call fib6_table_lookup().

While working on the series I have been trying to exploit these paths (this one and other changes in the series), so far I didn't find anything.

Thanks for the review!
Fernando.

      } else {
          if (flags & BPF_FIB_LOOKUP_MARK)
              fl6.flowi6_mark = params->mark;
@@ -6305,7 +6298,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
          fl6.flowi6_tun_key.tun_id = 0;
          fl6.flowi6_uid = sock_net_uid(net, NULL);
-        err = ipv6_stub->fib6_lookup(net, oif, &fl6, &res, strict);
+        err = fib6_lookup(net, oif, &fl6, &res, strict);
      }
      if (unlikely(err || IS_ERR_OR_NULL(res.f6i) ||
@@ -6326,11 +6319,11 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
          return BPF_FIB_LKUP_RET_NOT_FWDED;
      }
-    ipv6_stub->fib6_select_path(net, &res, &fl6, fl6.flowi6_oif,
-                    fl6.flowi6_oif != 0, NULL, strict);
+    fib6_select_path(net, &res, &fl6, fl6.flowi6_oif,
+             fl6.flowi6_oif != 0, NULL, strict);
      if (check_mtu) {
-        mtu = ipv6_stub->ip6_mtu_from_fib6(&res, dst, src);
+        mtu = ip6_mtu_from_fib6(&res, dst, src);
          if (params->tot_len > mtu) {
              params->mtu_result = mtu; /* union with tot_len */
              return BPF_FIB_LKUP_RET_FRAG_NEEDED;
@@ -6351,9 +6344,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
          if (res.f6i->fib6_prefsrc.plen) {
              *src = res.f6i->fib6_prefsrc.addr;
          } else {
-            err = ipv6_bpf_stub->ipv6_dev_get_saddr(net, dev,
-                                &fl6.daddr, 0,
-                                src);
+            err = ipv6_dev_get_saddr(net, dev, &fl6.daddr, 0, src);
              if (err)
                  return BPF_FIB_LKUP_RET_NO_SRC_ADDR;
          }
@@ -6365,7 +6356,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
      /* xdp and cls_bpf programs are run in RCU-bh so rcu_read_lock_bh is
       * not needed here.
       */
-    neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
+    neigh = __ipv6_neigh_lookup_noref(dev, dst);
      if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
          return BPF_FIB_LKUP_RET_NO_NEIGH;
      memcpy(params->dmac, neigh->ha, ETH_ALEN);
@@ -6900,11 +6891,10 @@ static struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple,
                          src6, tuple->ipv6.sport,
                          dst6, ntohs(tuple->ipv6.dport),
                          dif, sdif, &refcounted);
-        else if (likely(ipv6_bpf_stub))
-            sk = ipv6_bpf_stub->udp6_lib_lookup(net,
-                                src6, tuple->ipv6.sport,
-                                dst6, tuple->ipv6.dport,
-                                dif, sdif, NULL);
+        else if (likely(ipv6_mod_enabled()))
+            sk = __udp6_lib_lookup(net, src6, tuple->ipv6.sport,
+                           dst6, tuple->ipv6.dport,
+                           dif, sdif, NULL);
#endif
      }
diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index 9f40be0c3e71..f71ef82a5f3d 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -13,7 +13,6 @@
#include <net/gre.h>
#include <net/ip.h>
#include <net/ip6_route.h>
-#include <net/ipv6_stubs.h>
struct bpf_lwt_prog {
      struct bpf_prog *prog;
@@ -103,7 +102,12 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb)
          dev_put(dev);
      } else if (skb->protocol == htons(ETH_P_IPV6)) {
          skb_dst_drop(skb);
-        err = ipv6_stub->ipv6_route_input(skb);
+        if (IS_ENABLED(CONFIG_IPV6)) {
+            ip6_route_input(skb);
+            err = skb_dst(skb)->error;
+        } else {
+            err = -EAFNOSUPPORT;
+        }
      } else {
          err = -EAFNOSUPPORT;
      }
@@ -233,7 +237,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
          fl6.daddr = iph6->daddr;
          fl6.saddr = iph6->saddr;
-        dst = ipv6_stub->ipv6_dst_lookup_flow(net, skb->sk, &fl6, NULL);
+        dst = ip6_dst_lookup_flow(net, skb->sk, &fl6, NULL);
          if (IS_ERR(dst)) {
              err = PTR_ERR(dst);
              goto err;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index bb29b29fdcfb..07ae6ea7743a 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -264,8 +264,8 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
      goto out;
}
-static int __inet6_bind(struct sock *sk, struct sockaddr_unsized *uaddr, int addr_len,
-            u32 flags)
+int __inet6_bind(struct sock *sk, struct sockaddr_unsized *uaddr, int addr_len,
+         u32 flags)
{
      struct sockaddr_in6 *addr = (struct sockaddr_in6 *)uaddr;
      struct inet_sock *inet = inet_sk(sk);
@@ -1032,14 +1032,6 @@ static const struct ipv6_stub ipv6_stub_impl = {
      .ip6_xmit = ip6_xmit,
};
-static const struct ipv6_bpf_stub ipv6_bpf_stub_impl = {
-    .inet6_bind = __inet6_bind,
-    .udp6_lib_lookup = __udp6_lib_lookup,
-    .ipv6_setsockopt = do_ipv6_setsockopt,
-    .ipv6_getsockopt = do_ipv6_getsockopt,
-    .ipv6_dev_get_saddr = ipv6_dev_get_saddr,
-};
-
static int __init inet6_init(void)
{
      struct list_head *r;
@@ -1199,7 +1191,6 @@ static int __init inet6_init(void)
      /* ensure that ipv6 stubs are visible only after ipv6 is ready */
      wmb();
      ipv6_stub = &ipv6_stub_impl;
-    ipv6_bpf_stub = &ipv6_bpf_stub_impl;
out:
      return err;