net: prevent NULL deref in ip[6]tunnel_xmit()

Blamed commit missed that both functions can be called with dev == NULL.

Also add unlikely() hints for these conditions that only fuzzers can hit.

Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions")
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Weiming Shi <bestswngs@gmail.com>
Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 1253cbb4b0a45f1c62999be21931ca31b596697f..359b595f1df93663b3e32c006d936427e8c8b20c 100644 (file)
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb,
 {
        int pkt_len, err;
 
-       if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
-               net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
-                                    dev->name);
-               DEV_STATS_INC(dev, tx_errors);
+       if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+               if (dev) {
+                       net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+                                            dev->name);
+                       DEV_STATS_INC(dev, tx_errors);
+               }
                kfree_skb(skb);
                return;
        }

diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index b1b6bf949f65ab7a09ba201d48aa204d913f146d..5683c328990f49df2954af9d890b5f24150caeb2 100644 (file)
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb,
        struct iphdr *iph;
        int err;
 
-       if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) {
-               net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
-                                    dev->name);
-               DEV_STATS_INC(dev, tx_errors);
+       if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) {
+               if (dev) {
+                       net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n",
+                                            dev->name);
+                       DEV_STATS_INC(dev, tx_errors);
+               }
                ip_rt_put(rt);
                kfree_skb(skb);
                return;