From: Weiming Shi <bestswngs@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, eric.dumazet@gmail.com
Subject: Re: [PATCH v2 net] net: prevent NULL deref in ip[6]tunnel_xmit()
Date: Thu, 12 Mar 2026 13:23:13 +0800 [thread overview]
Message-ID: <abJNwYsvfTj0jzMr@SLSGDTSWING002> (raw)
In-Reply-To: <20260312043908.2790803-1-edumazet@google.com>
On 26-03-12 04:39, Eric Dumazet wrote:
> Blamed commit missed that both functions can be called with dev == NULL.
>
> Also add unlikely() hints for these conditions that only fuzzers can hit.
Hi Eric,
Thank you for the quick fix. I missed the NULL dev case despite the
existing `if (dev)` guard in iptunnel_xmit().
Thanks,
Weiming Shi
> Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> CC: Weiming Shi <bestswngs@gmail.com>
> ---
>
> I am sending v2 without the usual ~24 hours delay, hoping to catch our PR today.
>
> v2: avoid DEV_STATS_INC(NULL, tx_errors) as well.
> add unlikely() hints.
>
> include/net/ip6_tunnel.h | 10 ++++++----
> net/ipv4/ip_tunnel_core.c | 10 ++++++----
> 2 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
> index 1253cbb4b0a45f1c62999be21931ca31b596697f..359b595f1df93663b3e32c006d936427e8c8b20c 100644
> --- a/include/net/ip6_tunnel.h
> +++ b/include/net/ip6_tunnel.h
> @@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
> {
> int pkt_len, err;
>
> - if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
> - net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
> - dev->name);
> - DEV_STATS_INC(dev, tx_errors);
> + if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
> + if (dev) {
> + net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
> + dev->name);
> + DEV_STATS_INC(dev, tx_errors);
> + }
> kfree_skb(skb);
> return;
> }
> diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
> index b1b6bf949f65ab7a09ba201d48aa204d913f146d..5683c328990f49df2954af9d890b5f24150caeb2 100644
> --- a/net/ipv4/ip_tunnel_core.c
> +++ b/net/ipv4/ip_tunnel_core.c
> @@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
> struct iphdr *iph;
> int err;
>
> - if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
> - net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
> - dev->name);
> - DEV_STATS_INC(dev, tx_errors);
> + if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
> + if (dev) {
> + net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
> + dev->name);
> + DEV_STATS_INC(dev, tx_errors);
> + }
> ip_rt_put(rt);
> kfree_skb(skb);
> return;
> --
> 2.53.0.473.g4a7958ca14-goog
>
next prev parent reply other threads:[~2026-03-12 5:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 4:39 [PATCH v2 net] net: prevent NULL deref in ip[6]tunnel_xmit() Eric Dumazet
2026-03-12 5:23 ` Weiming Shi [this message]
2026-03-12 15:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abJNwYsvfTj0jzMr@SLSGDTSWING002 \
--to=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.