[PATCH v2 net-next 0/2] ipv6: frags: adopt __in6_dev_stats_get() a bit more

[PATCH v2 net-next 0/2] ipv6: frags: adopt __in6_dev_stats_get() a bit more

[Eric Dumazet]

First patch addresses Sashiko's feedback about a potential
NULL dereference in __in6_dev_stats_get().

Second patch adopts __in6_dev_stats_get() in net/ipv6/reassembly.c.

Eric Dumazet (2):
  ipv6: guard against possible NULL deref in __in6_dev_stats_get()
  ipv6: frags: cleanup __IP6_INC_STATS() confusion

 include/net/addrconf.h |  5 ++++-
 net/ipv6/reassembly.c  | 46 +++++++++++++++++++-----------------------
 2 files changed, 25 insertions(+), 26 deletions(-)

-- 
2.54.0.746.g67dd491aae-goog

[PATCH v2 net-next 1/2] ipv6: guard against possible NULL deref in __in6_dev_stats_get()

[Eric Dumazet]

dev_get_by_index_rcu() could return NULL if the original physical
device is unregistered.

Found by Sashiko.

Fixes: e1ae5c2ea478 ("vrf: Increment Icmp6InMsgs on the original netdev")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
---
 include/net/addrconf.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 9e96776945e5f67f2bf2293c24975e6d6064aeda..539bbbe54b14e8108ff7304d7a08bc605655cc31 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -369,8 +369,11 @@ static inline struct inet6_dev *__in6_dev_get_rtnl_net(const struct net_device *
 static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev,
 						    const struct sk_buff *skb)
 {
-	if (netif_is_l3_master(dev))
+	if (netif_is_l3_master(dev)) {
 		dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb));
+		if (!dev)
+			return NULL;
+	}
 	return __in6_dev_get(dev);
 }
 
-- 
2.54.0.746.g67dd491aae-goog

[PATCH v2 net-next 2/2] ipv6: frags: cleanup __IP6_INC_STATS() confusion

[Eric Dumazet]

After commits e1ae5c2ea478 ("vrf: Increment Icmp6InMsgs on the original
netdev") and bdb7cc643fc9 ("ipv6: Count interface receive statistics
on the ingress netdev") net/ipv6/reassembly.c uses three different
ways to reach idev in various __IP6_INC_STATS() calls.

- ip6_dst_idev(skb_dst(skb))
- __in6_dev_get_safely(skb->dev)
- __in6_dev_stats_get(skb->dev)

Lets centralize this from ipv6_frag_rcv() and use __in6_dev_stats_get().

Note that ipv6_frag_rcv() tests if skb->dev could be NULL already, so
I chose to also guard against NULL, but we probably can remove the
tests in a followup patch, because I do not think skb->dev could be NULL.

iif = skb->dev ? skb->dev->ifindex : 0;

idev can be NULL, __IP6_INC_STATS() deals with this possibility.

Small code size reduction as a bonus.

$ scripts/bloat-o-meter -t vmlinux.old vmlinux.new
add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-145 (-145)
Function                                     old     new   delta
ipv6_frag_rcv                               2399    2362     -37
ip6_frag_reasm                               705     597    -108
Total: Before=31455552, After=31455407, chg -0.00%

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv6/reassembly.c | 46 ++++++++++++++++++++-----------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 11f9144bebbe2cf0152992c526fb6728f83f462d..05c51f669754a1a10e944bb7c4433565bcaacb40 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -69,7 +69,7 @@ static struct inet_frags ip6_frags;
 
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 			  struct sk_buff *prev_tail, struct net_device *dev,
-			  int *refs);
+			  struct inet6_dev *idev, int *refs);
 
 static void ip6_frag_expire(struct timer_list *t)
 {
@@ -107,7 +107,8 @@ fq_find(struct net *net, __be32 id, const struct ipv6hdr *hdr, int iif)
 static int ip6_frag_queue(struct net *net,
 			  struct frag_queue *fq, struct sk_buff *skb,
 			  struct frag_hdr *fhdr, int nhoff,
-			  u32 *prob_offset, int *refs)
+			  u32 *prob_offset, int *refs,
+			  struct inet6_dev *idev)
 {
 	int offset, end, fragsize;
 	struct sk_buff *prev_tail;
@@ -133,8 +134,7 @@ static int ip6_frag_queue(struct net *net,
 		 * we do not free it here.
 		 */
 		inet_frag_kill(&fq->q, refs);
-		__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-				IPSTATS_MIB_REASMFAILS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 		return -1;
 	}
 
@@ -167,8 +167,7 @@ static int ip6_frag_queue(struct net *net,
 			 */
 			*prob_offset = offsetof(struct ipv6hdr, payload_len);
 			inet_frag_kill(&fq->q, refs);
-			__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-					IPSTATS_MIB_REASMFAILS);
+			__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 			return -1;
 		}
 		if (end > fq->q.len) {
@@ -227,7 +226,7 @@ static int ip6_frag_queue(struct net *net,
 		unsigned long orefdst = skb->_skb_refdst;
 
 		skb->_skb_refdst = 0UL;
-		err = ip6_frag_reasm(fq, skb, prev_tail, dev, refs);
+		err = ip6_frag_reasm(fq, skb, prev_tail, dev, idev, refs);
 		skb->_skb_refdst = orefdst;
 		return err;
 	}
@@ -242,12 +241,10 @@ static int ip6_frag_queue(struct net *net,
 		goto err;
 	}
 	err = -EINVAL;
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-			IPSTATS_MIB_REASM_OVERLAPS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASM_OVERLAPS);
 discard_fq:
 	inet_frag_kill(&fq->q, refs);
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-			IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 err:
 	kfree_skb_reason(skb, reason);
 	return err;
@@ -262,7 +259,7 @@ static int ip6_frag_queue(struct net *net,
  */
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 			  struct sk_buff *prev_tail, struct net_device *dev,
-			  int *refs)
+			  struct inet6_dev *idev, int *refs)
 {
 	struct net *net = fq->q.fqdir->net;
 	unsigned int nhoff;
@@ -311,7 +308,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 	skb_postpush_rcsum(skb, skb_network_header(skb),
 			   skb_network_header_len(skb));
 
-	__IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMOKS);
 	fq->q.rb_fragments = RB_ROOT;
 	fq->q.fragments_tail = NULL;
 	fq->q.last_run_head = NULL;
@@ -323,7 +320,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 out_oom:
 	net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n");
 out_fail:
-	__IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 	inet_frag_kill(&fq->q, refs);
 	return -1;
 }
@@ -332,15 +329,18 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 {
 	const struct ipv6hdr *hdr = ipv6_hdr(skb);
 	struct net *net = skb_dst_dev_net(skb);
+	struct inet6_dev *idev;
 	struct frag_hdr *fhdr;
 	struct frag_queue *fq;
 	u8 nexthdr;
 	int iif;
 
+	idev = skb->dev ? __in6_dev_stats_get(skb->dev, skb) : NULL;
+
 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
 		goto fail_hdr;
 
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMREQDS);
 
 	/* Jumbo payload inhibits frag. header */
 	if (hdr->payload_len == 0)
@@ -356,8 +356,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	if (!(fhdr->frag_off & htons(IP6_OFFSET | IP6_MF))) {
 		/* It is not a fragmented frame */
 		skb->transport_header += sizeof(struct frag_hdr);
-		__IP6_INC_STATS(net,
-				ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMOKS);
 
 		IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
 		IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
@@ -374,8 +373,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	 */
 	nexthdr = hdr->nexthdr;
 	if (ipv6frag_thdr_truncated(skb, skb_network_offset(skb) + sizeof(struct ipv6hdr), &nexthdr)) {
-		__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-				IPSTATS_MIB_INHDRERRORS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 		icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
 		return -1;
 	}
@@ -391,14 +389,13 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 
 		fq->iif = iif;
 		ret = ip6_frag_queue(net, fq, skb, fhdr, IP6CB(skb)->nhoff,
-				     &prob_offset, &refs);
+				     &prob_offset, &refs, idev);
 
 		spin_unlock(&fq->q.lock);
 		rcu_read_unlock();
 		inet_frag_putn(&fq->q, refs);
 		if (prob_offset) {
-			__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-					IPSTATS_MIB_INHDRERRORS);
+			__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 			/* icmpv6_param_prob() calls kfree_skb(skb) */
 			icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, prob_offset);
 		}
@@ -406,13 +403,12 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	}
 	rcu_read_unlock();
 
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 	kfree_skb(skb);
 	return -1;
 
 fail_hdr:
-	__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-			IPSTATS_MIB_INHDRERRORS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 	icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, skb_network_header_len(skb));
 	return -1;
 }
-- 
2.54.0.746.g67dd491aae-goog

Re: [PATCH v2 net-next 1/2] ipv6: guard against possible NULL deref in __in6_dev_stats_get()

[Ido Schimmel]

On Tue, May 26, 2026 at 02:55:28PM +0000, Eric Dumazet wrote:
> dev_get_by_index_rcu() could return NULL if the original physical
> device is unregistered.
> 
> Found by Sashiko.
> 
> Fixes: e1ae5c2ea478 ("vrf: Increment Icmp6InMsgs on the original netdev")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Stephen Suryaputra <ssuryaextr@gmail.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

Re: [PATCH v2 net-next 2/2] ipv6: frags: cleanup __IP6_INC_STATS() confusion

[Ido Schimmel]

On Tue, May 26, 2026 at 02:55:29PM +0000, Eric Dumazet wrote:
> After commits e1ae5c2ea478 ("vrf: Increment Icmp6InMsgs on the original
> netdev") and bdb7cc643fc9 ("ipv6: Count interface receive statistics
> on the ingress netdev") net/ipv6/reassembly.c uses three different
> ways to reach idev in various __IP6_INC_STATS() calls.
> 
> - ip6_dst_idev(skb_dst(skb))
> - __in6_dev_get_safely(skb->dev)
> - __in6_dev_stats_get(skb->dev)
> 
> Lets centralize this from ipv6_frag_rcv() and use __in6_dev_stats_get().
> 
> Note that ipv6_frag_rcv() tests if skb->dev could be NULL already, so
> I chose to also guard against NULL, but we probably can remove the
> tests in a followup patch, because I do not think skb->dev could be NULL.
> 
> iif = skb->dev ? skb->dev->ifindex : 0;
> 
> idev can be NULL, __IP6_INC_STATS() deals with this possibility.
> 
> Small code size reduction as a bonus.
> 
> $ scripts/bloat-o-meter -t vmlinux.old vmlinux.new
> add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-145 (-145)
> Function                                     old     new   delta
> ipv6_frag_rcv                               2399    2362     -37
> ip6_frag_reasm                               705     597    -108
> Total: Before=31455552, After=31455407, chg -0.00%
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>