Re: [PATCH net v4 1/2] bonding: fix null-ptr-deref in bond_rr_gen_slave_id()

Next message: Chaoyi Chen: "[PATCH v15 0/9] Add Type-C DP support for RK3399 EVB IND board"
Previous message: Yafang Shao: "Re: [RFC PATCH 1/2] locking: add mutex_lock_nospin()"
In reply to: Jiayuan Chen: "Re: [PATCH net v4 1/2] bonding: fix null-ptr-deref in bond_rr_gen_slave_id()"
Next in thread: Nikolay Aleksandrov: "Re: [PATCH net v4 1/2] bonding: fix null-ptr-deref in bond_rr_gen_slave_id()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sebastian Andrzej Siewior

Date: Wed Mar 04 2026 - 04:42:40 EST

On 2026-03-04 09:20:27 [+0100], Daniel Borkmann wrote:
> Arguably it's a corner case, but could we not just do sth like this to
> actually check if the device is up and if not drop?
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index ba019ded773d..c447fd989a27 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4387,6 +4387,9 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
> struct net_device *master, *slave;
> master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> + if (unlikely(!(master->flags & IFF_UP)))
> + return XDP_ABORTED;

preemption (vcpu scheduled), while paused the other CPU could put the
device down, or is it too much of a corner case?
Also, there is also ndo_get_xmit_slave which at this time is only used
by Infiniband and supports only active-backup mode [0].

[0] https://lore.kernel.org/netdev/999129.1772247707@famine/

> +
> slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
> if (slave && slave != xdp->rxq->dev) {
> /* The target device is different from the receiving device, so

Sebastian