From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>,
jv@jvosburgh.net, netdev@vger.kernel.org,
jiayuan.chen@shopee.com,
syzbot+80e046b8da2820b6ba73@syzkaller.appspotmail.com,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Alexei Starovoitov <ast@kernel.org>,
Jesper Dangaard Brouer <hawk@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>,
Clark Williams <clrkwllms@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Jussi Maki <joamaki@gmail.com>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH net v4 1/2] bonding: fix null-ptr-deref in bond_rr_gen_slave_id()
Date: Wed, 4 Mar 2026 10:40:20 +0100 [thread overview]
Message-ID: <20260304094020.mrSO02-z@linutronix.de> (raw)
In-Reply-To: <4d15be93-b497-4499-996d-9f3a67a2abc6@iogearbox.net>
On 2026-03-04 09:20:27 [+0100], Daniel Borkmann wrote:
> Arguably it's a corner case, but could we not just do sth like this to
> actually check if the device is up and if not drop?
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index ba019ded773d..c447fd989a27 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4387,6 +4387,9 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
> struct net_device *master, *slave;
> master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> + if (unlikely(!(master->flags & IFF_UP)))
> + return XDP_ABORTED;
preemption (vcpu scheduled), while paused the other CPU could put the
device down, or is it too much of a corner case?
Also, there is also ndo_get_xmit_slave which at this time is only used
by Infiniband and supports only active-backup mode [0].
[0] https://lore.kernel.org/netdev/999129.1772247707@famine/
> +
> slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
> if (slave && slave != xdp->rxq->dev) {
> /* The target device is different from the receiving device, so
Sebastian
next prev parent reply other threads:[~2026-03-04 9:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-04 7:42 [PATCH net v4 0/2] net,bpf: fix null-ptr-deref in xdp_master_redirect() for bonding and add selftest Jiayuan Chen
2026-03-04 7:42 ` [PATCH net v4 1/2] bonding: fix null-ptr-deref in bond_rr_gen_slave_id() Jiayuan Chen
2026-03-04 8:20 ` Daniel Borkmann
2026-03-04 8:47 ` Jiayuan Chen
2026-03-04 9:40 ` Sebastian Andrzej Siewior [this message]
2026-03-04 15:59 ` Nikolay Aleksandrov
2026-03-04 17:27 ` Jay Vosburgh
2026-03-04 17:32 ` Nikolay Aleksandrov
2026-03-05 21:03 ` Jay Vosburgh
2026-03-06 2:42 ` Jiayuan Chen
2026-03-06 12:22 ` Nikolay Aleksandrov
2026-03-06 12:38 ` Jiayuan Chen
2026-03-04 7:42 ` [PATCH net v4 2/2] selftests/bpf: add test for xdp_master_redirect with bond not up Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260304094020.mrSO02-z@linutronix.de \
--to=bigeasy@linutronix.de \
--cc=andrew+netdev@lunn.ch \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clrkwllms@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=hawk@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=jiayuan.chen@shopee.com \
--cc=joamaki@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jv@jvosburgh.net \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rostedt@goodmis.org \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=syzbot+80e046b8da2820b6ba73@syzkaller.appspotmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.