Merge branch 'ipv6-frags-adopt-__in6_dev_stats_get-a-bit-more'

Eric Dumazet says: ==================== ipv6: frags: adopt __in6_dev_stats_get() a bit more First patch addresses Sashiko's feedback about a potential NULL dereference in __in6_dev_stats_get(). Second patch adopts __in6_dev_stats_get() in net/ipv6/reassembly.c. ==================== Link: https://patch.msgid.link/20260526145529.3587126-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Jakub Kicinski <kuba@kernel.org> 2026-05-28 03:27:29 +0300
committer: Jakub Kicinski <kuba@kernel.org> 2026-05-28 03:27:29 +0300
commit: 3cefa8d5e798c4e21a7ea48bf6370247fca3aa9d (patch)
tree: 576d7befbd275ba831dbdd0fdc54249339a6849a
parent: 5af067bf8a64dac896f120a98fe2ca656df92562 (diff)
parent: 331d846a717243cec2d0708d30926efe97bb6294 (diff)
download: linux-3cefa8d5e798c4e21a7ea48bf6370247fca3aa9d.tar.xz
2 files changed, 25 insertions, 26 deletions
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 9e96776945e5..539bbbe54b14 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -369,8 +369,11 @@ static inline struct inet6_dev *__in6_dev_get_rtnl_net(const struct net_device *
 static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev,
 						    const struct sk_buff *skb)
 {
-	if (netif_is_l3_master(dev))
+	if (netif_is_l3_master(dev)) {
 		dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb));
+		if (!dev)
+			return NULL;
+	}
 	return __in6_dev_get(dev);
 }
 
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 11f9144bebbe..05c51f669754 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -69,7 +69,7 @@ static struct inet_frags ip6_frags;
 
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 			  struct sk_buff *prev_tail, struct net_device *dev,
-			  int *refs);
+			  struct inet6_dev *idev, int *refs);
 
 static void ip6_frag_expire(struct timer_list *t)
 {
@@ -107,7 +107,8 @@ fq_find(struct net *net, __be32 id, const struct ipv6hdr *hdr, int iif)
 static int ip6_frag_queue(struct net *net,
 			  struct frag_queue *fq, struct sk_buff *skb,
 			  struct frag_hdr *fhdr, int nhoff,
-			  u32 *prob_offset, int *refs)
+			  u32 *prob_offset, int *refs,
+			  struct inet6_dev *idev)
 {
 	int offset, end, fragsize;
 	struct sk_buff *prev_tail;
@@ -133,8 +134,7 @@ static int ip6_frag_queue(struct net *net,
 		 * we do not free it here.
 		 */
 		inet_frag_kill(&fq->q, refs);
-		__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-				IPSTATS_MIB_REASMFAILS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 		return -1;
 	}
 
@@ -167,8 +167,7 @@ static int ip6_frag_queue(struct net *net,
 			 */
 			*prob_offset = offsetof(struct ipv6hdr, payload_len);
 			inet_frag_kill(&fq->q, refs);
-			__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-					IPSTATS_MIB_REASMFAILS);
+			__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 			return -1;
 		}
 		if (end > fq->q.len) {
@@ -227,7 +226,7 @@ static int ip6_frag_queue(struct net *net,
 		unsigned long orefdst = skb->_skb_refdst;
 
 		skb->_skb_refdst = 0UL;
-		err = ip6_frag_reasm(fq, skb, prev_tail, dev, refs);
+		err = ip6_frag_reasm(fq, skb, prev_tail, dev, idev, refs);
 		skb->_skb_refdst = orefdst;
 		return err;
 	}
@@ -242,12 +241,10 @@ insert_error:
 		goto err;
 	}
 	err = -EINVAL;
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-			IPSTATS_MIB_REASM_OVERLAPS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASM_OVERLAPS);
 discard_fq:
 	inet_frag_kill(&fq->q, refs);
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
-			IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 err:
 	kfree_skb_reason(skb, reason);
 	return err;
@@ -262,7 +259,7 @@ err:
  */
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 			  struct sk_buff *prev_tail, struct net_device *dev,
-			  int *refs)
+			  struct inet6_dev *idev, int *refs)
 {
 	struct net *net = fq->q.fqdir->net;
 	unsigned int nhoff;
@@ -311,7 +308,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
 	skb_postpush_rcsum(skb, skb_network_header(skb),
 			   skb_network_header_len(skb));
 
-	__IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMOKS);
 	fq->q.rb_fragments = RB_ROOT;
 	fq->q.fragments_tail = NULL;
 	fq->q.last_run_head = NULL;
@@ -323,7 +320,7 @@ out_oversize:
 out_oom:
 	net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n");
 out_fail:
-	__IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 	inet_frag_kill(&fq->q, refs);
 	return -1;
 }
@@ -332,15 +329,18 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 {
 	const struct ipv6hdr *hdr = ipv6_hdr(skb);
 	struct net *net = skb_dst_dev_net(skb);
+	struct inet6_dev *idev;
 	struct frag_hdr *fhdr;
 	struct frag_queue *fq;
 	u8 nexthdr;
 	int iif;
 
+	idev = skb->dev ? __in6_dev_stats_get(skb->dev, skb) : NULL;
+
 	if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
 		goto fail_hdr;
 
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMREQDS);
 
 	/* Jumbo payload inhibits frag. header */
 	if (hdr->payload_len == 0)
@@ -356,8 +356,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	if (!(fhdr->frag_off & htons(IP6_OFFSET | IP6_MF))) {
 		/* It is not a fragmented frame */
 		skb->transport_header += sizeof(struct frag_hdr);
-		__IP6_INC_STATS(net,
-				ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMOKS);
 
 		IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
 		IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
@@ -374,8 +373,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	 */
 	nexthdr = hdr->nexthdr;
 	if (ipv6frag_thdr_truncated(skb, skb_network_offset(skb) + sizeof(struct ipv6hdr), &nexthdr)) {
-		__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-				IPSTATS_MIB_INHDRERRORS);
+		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 		icmpv6_param_prob(skb, ICMPV6_HDR_INCOMP, 0);
 		return -1;
 	}
@@ -391,14 +389,13 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 
 		fq->iif = iif;
 		ret = ip6_frag_queue(net, fq, skb, fhdr, IP6CB(skb)->nhoff,
-				     &prob_offset, &refs);
+				     &prob_offset, &refs, idev);
 
 		spin_unlock(&fq->q.lock);
 		rcu_read_unlock();
 		inet_frag_putn(&fq->q, refs);
 		if (prob_offset) {
-			__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-					IPSTATS_MIB_INHDRERRORS);
+			__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 			/* icmpv6_param_prob() calls kfree_skb(skb) */
 			icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, prob_offset);
 		}
@@ -406,13 +403,12 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 	}
 	rcu_read_unlock();
 
-	__IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMFAILS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_REASMFAILS);
 	kfree_skb(skb);
 	return -1;
 
 fail_hdr:
-	__IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev),
-			IPSTATS_MIB_INHDRERRORS);
+	__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
 	icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, skb_network_header_len(skb));
 	return -1;
 }
author	Jakub Kicinski <kuba@kernel.org>	2026-05-28 03:27:29 +0300
committer	Jakub Kicinski <kuba@kernel.org>	2026-05-28 03:27:29 +0300
commit	3cefa8d5e798c4e21a7ea48bf6370247fca3aa9d (patch)
tree	576d7befbd275ba831dbdd0fdc54249339a6849a
parent	5af067bf8a64dac896f120a98fe2ca656df92562 (diff)
parent	331d846a717243cec2d0708d30926efe97bb6294 (diff)
download	linux-3cefa8d5e798c4e21a7ea48bf6370247fca3aa9d.tar.xz