Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Jiayuan Chen <jiayuan.chen@linux.dev>]

On 6/21/26 4:15 AM, Xiang Mei wrote:
> xdp_master_redirect() dereferences the result of
> netdev_master_upper_dev_get_rcu() without a NULL check, but that helper
> returns NULL when the receiving device has no upper-master adjacency.
>
> The reach guard only checks netif_is_bond_slave(). On bond slave release
> bond_upper_dev_unlink() drops the upper-master adjacency before clearing
> IFF_SLAVE, so an XDP_TX reaching xdp_master_redirect() in that window
> still passes netif_is_bond_slave() while master is already NULL, and
> faults on master->flags at offset 0xb0:
>
>    BUG: kernel NULL pointer dereference, address: 00000000000000b0
>    RIP: 0010:xdp_master_redirect (net/core/filter.c:4432)
>    Call Trace:
>     xdp_master_redirect (net/core/filter.c:4432)
>     bpf_prog_run_generic_xdp (include/net/xdp.h:700)
>     do_xdp_generic (net/core/dev.c:5608)
>     __netif_receive_skb_one_core (net/core/dev.c:6204)
>     process_backlog (net/core/dev.c:6319)
>     __napi_poll (net/core/dev.c:7729)
>     net_rx_action (net/core/dev.c:7792)
>     handle_softirqs (kernel/softirq.c:622)
>     __dev_queue_xmit (include/linux/bottom_half.h:33)
>     packet_sendmsg (net/packet/af_packet.c:3082)
>     __sys_sendto (net/socket.c:2252)
>    Kernel panic - not syncing: Fatal exception in interrupt
>
> The missing check dates back to the original code; commit 1921f91298d1
> ("net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master")
> later added the master->flags read where the fault now lands but kept the
> unconditional deref. Check master for NULL before use; a NULL master is
> treated the same as one that is not up.
>
> Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
>   net/core/filter.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 40037413dd4e..6037860d5283 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
>   	struct net_device *master, *slave;
>   
>   	master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> -	if (unlikely(!(master->flags & IFF_UP)))
> +	if (unlikely(!master || !(master->flags & IFF_UP)))
>   		return XDP_ABORTED;


I recall that when I previously modified this code, I removed the 
!master check

because this is on the fastpath. However, since this is a triggerable bug,
I think adding it here is fine.

Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>