netns: oops in ip[6]_frag_reasm incrementing stats

dev can be NULL in ip[6]_frag_reasm for skb's coming from RAW sockets.

Quagga's OSPFD sends fragmented packets on a RAW socket, when netfilter
conntrack reassembles them on the OUTPUT path you hit this code path.

You can test it with something like "hping2 -0 -d 2000 -f AA.BB.CC.DD"

With help from Jarek Poplawski.

Signed-off-by: Jorge Boncompte [DTI2] <jorge@dti2.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 4 deletions

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 3c575118fca5..e9ac7a12f595 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -452,6 +452,7 @@ err:
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
                           struct net_device *dev)
 {
+        struct net *net = container_of(fq->q.net, struct net, ipv6.frags);
         struct sk_buff *fp, *head = fq->q.fragments;
         int    payload_len;
         unsigned int nhoff;
@@ -551,8 +552,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
                                           head->csum);
 
         rcu_read_lock();
-        IP6_INC_STATS_BH(dev_net(dev),
-                         __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
+        IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
         rcu_read_unlock();
         fq->q.fragments = NULL;
         return 1;
@@ -566,8 +566,7 @@ out_oom:
                 printk(KERN_DEBUG "ip6_frag_reasm: no memory for reassembly\n");
 out_fail:
         rcu_read_lock();
-        IP6_INC_STATS_BH(dev_net(dev),
-                         __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
+        IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
         rcu_read_unlock();
         return -1;
 }