ipv6: add NULL checks for idev in SRv6 paths

__in6_dev_get() can return NULL when the device has no IPv6 configuration
(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).

Add NULL checks for idev returned by __in6_dev_get() in both
seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL
pointer dereferences.

Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)")
Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
Signed-off-by: Minhong He <heminhong@kylinos.cn>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 5e3610a926cfb64946b12790a65dfa3661c571b5..95558fd6f447e3b27edf80e1a22d9e9a1da586ca 100644 (file)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -379,6 +379,10 @@ static int ipv6_srh_rcv(struct sk_buff *skb)
        hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb);
 
        idev = __in6_dev_get(skb->dev);
+       if (!idev) {
+               kfree_skb(skb);
+               return -1;
+       }
 
        accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled),
                          READ_ONCE(idev->cnf.seg6_enabled));

diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index ee6bac0160aceafdc4eed57b34014eded9e8a9a1..e6964c6b0d381093879b5f494feb71a7638ab23b 100644 (file)
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -184,6 +184,8 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb)
        int require_hmac;
 
        idev = __in6_dev_get(skb->dev);
+       if (!idev)
+               return false;
 
        srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);