Re: [PATCH bpf] bpf: Fix use-after-free in offloaded map/prog info fill

Next message: Wentao Liang: "[PATCH] of: unittest: fix use-after-free in of_unittest_changeset()"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net-next] net: phy: realtek: get rid of magic numbers in rtl8201_config_intr()"
In reply to: Daniel Borkmann: "Re: [PATCH bpf] bpf: Fix use-after-free in offloaded map/prog info fill"
Next in thread: bot+bpf-ci: "Re: [PATCH bpf] bpf: Fix use-after-free in offloaded map/prog info fill"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiayuan Chen

Date: Wed Apr 08 2026 - 22:22:48 EST

On 4/9/26 5:49 AM, Daniel Borkmann wrote:

On 4/8/26 12:47 PM, Jiayuan Chen wrote:

When querying info for an offloaded BPF map or program,

[...]

zero, which causes ns_get_path_cb() to fail and the caller to return
-ENODEV -- the correct behavior when the netns is being destroyed.

nit: -ENOENT

Fixes: 675fc275a3a2d ("bpf: offload: report device information for offloaded programs")
Fixes: 52775b33bb507 ("bpf: offload: report device information about offloaded maps")
Reported-by: Yinhao Hu <dddddd@xxxxxxxxxxx>
[...]
+        net = maybe_get_net(dev_net(aux->offload->netdev));
+        if (net) {
+            ns = &net->ns;
+        } else {
+            ns = NULL;
+        }

nit: ns = net ? &net->ns : NULL;

[...]

+        }

ditto, otherwise looks good to me

      } else {
          args->info->ifindex = 0;
          ns = NULL;

Thanks for the review!

Both nits are valid -- will fix the commit message to say -ENOENT and
simplify to ternary in the next version.