sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net: prevent NULL deref in ip[6]tunnel_xmit() 

Blamed commit missed that both functions can be called with dev == NULL.

Also add unlikely() hints for these conditions that only fuzzers can hit.

Fixes: 6f1a9140ec ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Eric Dumazet 2026-03-12 04:39:08 +00:00 committed by Paolo Abeni
parent 87f7dff3ec
commit c38b8f5f79
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
include/net/ip6_tunnel.h
View File

@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
{
int pkt_len, err;
if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
dev->name);
DEV_STATS_INC(dev, tx_errors);
if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
if (dev) {
net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
dev->name);
DEV_STATS_INC(dev, tx_errors);
}
kfree_skb(skb);
return;
}

10
net/ipv4/ip_tunnel_core.c
View File

@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
struct iphdr *iph;
int err;
if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
dev->name);
DEV_STATS_INC(dev, tx_errors);
if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
if (dev) {
net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
dev->name);
DEV_STATS_INC(dev, tx_errors);
}
ip_rt_put(rt);
kfree_skb(skb);
return;