Commit c38b8f5f authored Mar 12, 2026 by Eric Dumazet Committed by Paolo Abeni Mar 12, 2026

net: prevent NULL deref in ip[6]tunnel_xmit()



Blamed commit missed that both functions can be called with dev == NULL.

Also add unlikely() hints for these conditions that only fuzzers can hit.

Fixes: 6f1a9140 ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 87f7dff3

include/net/ip6_tunnel.h

+6 −4

Original line number	Diff line number	Diff line
		@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock sk, struct sk_buff skb,
		{
		int pkt_len, err;

		if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
		if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
		if (dev) {
		net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
		dev->name);
		DEV_STATS_INC(dev, tx_errors);
		}
		kfree_skb(skb);
		return;
		}

net/ipv4/ip_tunnel_core.c

+6 −4

Original line number	Diff line number	Diff line
		@@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock sk, struct rtable rt, struct sk_buff *skb,
		struct iphdr *iph;
		int err;

		if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
		if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
		if (dev) {
		net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
		dev->name);
		DEV_STATS_INC(dev, tx_errors);
		}
		ip_rt_put(rt);
		kfree_skb(skb);
		return;