[PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Xiang Mei]

xdp_master_redirect() dereferences the result of
netdev_master_upper_dev_get_rcu() without a NULL check, but that helper
returns NULL when the receiving device has no upper-master adjacency.

The reach guard only checks netif_is_bond_slave(). On bond slave release
bond_upper_dev_unlink() drops the upper-master adjacency before clearing
IFF_SLAVE, so an XDP_TX reaching xdp_master_redirect() in that window
still passes netif_is_bond_slave() while master is already NULL, and
faults on master->flags at offset 0xb0:

  BUG: kernel NULL pointer dereference, address: 00000000000000b0
  RIP: 0010:xdp_master_redirect (net/core/filter.c:4432)
  Call Trace:
   xdp_master_redirect (net/core/filter.c:4432)
   bpf_prog_run_generic_xdp (include/net/xdp.h:700)
   do_xdp_generic (net/core/dev.c:5608)
   __netif_receive_skb_one_core (net/core/dev.c:6204)
   process_backlog (net/core/dev.c:6319)
   __napi_poll (net/core/dev.c:7729)
   net_rx_action (net/core/dev.c:7792)
   handle_softirqs (kernel/softirq.c:622)
   __dev_queue_xmit (include/linux/bottom_half.h:33)
   packet_sendmsg (net/packet/af_packet.c:3082)
   __sys_sendto (net/socket.c:2252)
  Kernel panic - not syncing: Fatal exception in interrupt

The missing check dates back to the original code; commit 1921f91298d1
("net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master")
later added the master->flags read where the fault now lands but kept the
unconditional deref. Check master for NULL before use; a NULL master is
treated the same as one that is not up.

Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
 net/core/filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 40037413dd4e..6037860d5283 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
 	struct net_device *master, *slave;
 
 	master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
-	if (unlikely(!(master->flags & IFF_UP)))
+	if (unlikely(!master || !(master->flags & IFF_UP)))
 		return XDP_ABORTED;
 	slave = master->netdev_ops->ndo_xdp_get_xmit_slave(master, xdp);
 	if (slave && slave != xdp->rxq->dev) {
-- 
2.43.0

Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Jiayuan Chen]

On 6/21/26 4:15 AM, Xiang Mei wrote:
> xdp_master_redirect() dereferences the result of
> netdev_master_upper_dev_get_rcu() without a NULL check, but that helper
> returns NULL when the receiving device has no upper-master adjacency.
>
> The reach guard only checks netif_is_bond_slave(). On bond slave release
> bond_upper_dev_unlink() drops the upper-master adjacency before clearing
> IFF_SLAVE, so an XDP_TX reaching xdp_master_redirect() in that window
> still passes netif_is_bond_slave() while master is already NULL, and
> faults on master->flags at offset 0xb0:
>
>    BUG: kernel NULL pointer dereference, address: 00000000000000b0
>    RIP: 0010:xdp_master_redirect (net/core/filter.c:4432)
>    Call Trace:
>     xdp_master_redirect (net/core/filter.c:4432)
>     bpf_prog_run_generic_xdp (include/net/xdp.h:700)
>     do_xdp_generic (net/core/dev.c:5608)
>     __netif_receive_skb_one_core (net/core/dev.c:6204)
>     process_backlog (net/core/dev.c:6319)
>     __napi_poll (net/core/dev.c:7729)
>     net_rx_action (net/core/dev.c:7792)
>     handle_softirqs (kernel/softirq.c:622)
>     __dev_queue_xmit (include/linux/bottom_half.h:33)
>     packet_sendmsg (net/packet/af_packet.c:3082)
>     __sys_sendto (net/socket.c:2252)
>    Kernel panic - not syncing: Fatal exception in interrupt
>
> The missing check dates back to the original code; commit 1921f91298d1
> ("net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master")
> later added the master->flags read where the fault now lands but kept the
> unconditional deref. Check master for NULL before use; a NULL master is
> treated the same as one that is not up.
>
> Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
>   net/core/filter.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 40037413dd4e..6037860d5283 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
>   	struct net_device *master, *slave;
>   
>   	master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> -	if (unlikely(!(master->flags & IFF_UP)))
> +	if (unlikely(!master || !(master->flags & IFF_UP)))
>   		return XDP_ABORTED;


I recall that when I previously modified this code, I removed the 
!master check

because this is on the fastpath. However, since this is a triggerable bug,
I think adding it here is fine.

Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>

Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Xiang Mei]

On Sun, Jun 21, 2026 at 6:21 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
>
> On 6/21/26 4:15 AM, Xiang Mei wrote:
> > xdp_master_redirect() dereferences the result of
> > netdev_master_upper_dev_get_rcu() without a NULL check, but that helper
> > returns NULL when the receiving device has no upper-master adjacency.
> >
> > The reach guard only checks netif_is_bond_slave(). On bond slave release
> > bond_upper_dev_unlink() drops the upper-master adjacency before clearing
> > IFF_SLAVE, so an XDP_TX reaching xdp_master_redirect() in that window
> > still passes netif_is_bond_slave() while master is already NULL, and
> > faults on master->flags at offset 0xb0:
> >
> >    BUG: kernel NULL pointer dereference, address: 00000000000000b0
> >    RIP: 0010:xdp_master_redirect (net/core/filter.c:4432)
> >    Call Trace:
> >     xdp_master_redirect (net/core/filter.c:4432)
> >     bpf_prog_run_generic_xdp (include/net/xdp.h:700)
> >     do_xdp_generic (net/core/dev.c:5608)
> >     __netif_receive_skb_one_core (net/core/dev.c:6204)
> >     process_backlog (net/core/dev.c:6319)
> >     __napi_poll (net/core/dev.c:7729)
> >     net_rx_action (net/core/dev.c:7792)
> >     handle_softirqs (kernel/softirq.c:622)
> >     __dev_queue_xmit (include/linux/bottom_half.h:33)
> >     packet_sendmsg (net/packet/af_packet.c:3082)
> >     __sys_sendto (net/socket.c:2252)
> >    Kernel panic - not syncing: Fatal exception in interrupt
> >
> > The missing check dates back to the original code; commit 1921f91298d1
> > ("net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master")
> > later added the master->flags read where the fault now lands but kept the
> > unconditional deref. Check master for NULL before use; a NULL master is
> > treated the same as one that is not up.
> >
> > Fixes: 879af96ffd72 ("net, core: Add support for XDP redirection to slave device")
> > Reported-by: Weiming Shi <bestswngs@gmail.com>
> > Assisted-by: Claude:claude-opus-4-8
> > Signed-off-by: Xiang Mei <xmei5@asu.edu>
> > ---
> >   net/core/filter.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 40037413dd4e..6037860d5283 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
> >       struct net_device *master, *slave;
> >
> >       master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> > -     if (unlikely(!(master->flags & IFF_UP)))
> > +     if (unlikely(!master || !(master->flags & IFF_UP)))
> >               return XDP_ABORTED;
>
>
> I recall that when I previously modified this code, I removed the
> !master check
>
> because this is on the fastpath. However, since this is a triggerable bug,
> I think adding it here is fine.
>
Thanks for the review. It's difficult to hit under normal statue, but
the bug is real.
We have triggered this bug with a PoC plus GDB to pause one thread (no
other `cheating').

(Theoretically) Race condition exploitation techniques such as expRace
[1] or CardShark [2] may help trigger it.

Xiang

[1]: https://www.usenix.org/conference/usenixsecurity21/presentation/lee-yoochan
[2]: https://www.usenix.org/conference/usenixsecurity24/presentation/han-tianshuo

> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
>

Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Jakub Kicinski]

On Sun, 21 Jun 2026 18:28:09 -0700 Xiang Mei wrote:
> > > diff --git a/net/core/filter.c b/net/core/filter.c
> > > index 40037413dd4e..6037860d5283 100644
> > > --- a/net/core/filter.c
> > > +++ b/net/core/filter.c
> > > @@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
> > >       struct net_device *master, *slave;
> > >
> > >       master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> > > -     if (unlikely(!(master->flags & IFF_UP)))
> > > +     if (unlikely(!master || !(master->flags & IFF_UP)))
> > >               return XDP_ABORTED;  
> >
> >
> > I recall that when I previously modified this code, I removed the
> > !master check
> >
> > because this is on the fastpath. However, since this is a triggerable bug,
> > I think adding it here is fine.
>
> Thanks for the review. It's difficult to hit under normal statue, but
> the bug is real.
> We have triggered this bug with a PoC plus GDB to pause one thread (no
> other `cheating').

Can you double-confirm that this triggers on current HEAD
of linux/master ? I thought commit 2674d603a9e6 ("vrf: Fix a potential
NPD when removing a port from a VRF") was supposed to prevent all the
torn master fetches. Adding VRF folks to CC.

Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Xiang Mei]

On Mon, Jun 22, 2026 at 3:58 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Sun, 21 Jun 2026 18:28:09 -0700 Xiang Mei wrote:
> > > > diff --git a/net/core/filter.c b/net/core/filter.c
> > > > index 40037413dd4e..6037860d5283 100644
> > > > --- a/net/core/filter.c
> > > > +++ b/net/core/filter.c
> > > > @@ -4430,7 +4430,7 @@ u32 xdp_master_redirect(struct xdp_buff *xdp)
> > > >       struct net_device *master, *slave;
> > > >
> > > >       master = netdev_master_upper_dev_get_rcu(xdp->rxq->dev);
> > > > -     if (unlikely(!(master->flags & IFF_UP)))
> > > > +     if (unlikely(!master || !(master->flags & IFF_UP)))
> > > >               return XDP_ABORTED;
> > >
> > >
> > > I recall that when I previously modified this code, I removed the
> > > !master check
> > >
> > > because this is on the fastpath. However, since this is a triggerable bug,
> > > I think adding it here is fine.
> >
> > Thanks for the review. It's difficult to hit under normal statue, but
> > the bug is real.
> > We have triggered this bug with a PoC plus GDB to pause one thread (no
> > other `cheating').
>
> Can you double-confirm that this triggers on current HEAD
> of linux/master ? I thought commit 2674d603a9e6 ("vrf: Fix a potential
> NPD when removing a port from a VRF") was supposed to prevent all the
> torn master fetches. Adding VRF folks to CC.

Yes.

We have triggered the crash on 56abdaebbf0da304b860bed1f2b5a85f5a6a16a0,
which is the latest for net.git, and 2674d603a9e6 was applied. We can
still trigger the crash:
```
[    0.516445] BUG: kernel NULL pointer dereference, address: 00000000000000b0
[    0.516448] bond1: (slave veth1): Releasing backup interface
[    0.516732] #PF: supervisor read access in kernel mode
[    0.516733] #PF: error_code(0x0000) - not-present page
[    0.516734] PGD 102597067 P4D 102597067 PUD 102598067 PMD 0
[    0.516736] Oops: Oops: 0000 [#1] SMP NOPTI
[    0.517948] CPU: 0 UID: 0 PID: 133 Comm: exploit Not tainted 7.1.0+
#19 PREEMPTLAZY
[    0.518320] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[    0.518796] RIP: 0010:xdp_master_redirect+0x5f/0xc0
[    0.519019] Code: 00 48 c7 43 10 00 00 00 00 48 c7 43 18 00 00 00
00 c7 43 20 00 00 00 00 89 43 38 48 8b 45 20 48 8b 38 e8 94 a0 fb ff
48 89 c7 0
[    0.519795] RSP: 0018:ffffc90000003b98 EFLAGS: 00010246
[    0.520028] RAX: 0000000000000000 RBX: ffffc90000003ee8 RCX: ffff88810268cd02
[    0.520336] RDX: ffffffffc0000654 RSI: ffffc90000121060 RDI: 0000000000000000
[    0.520657] RBP: ffffc90000003c18 R08: 0000000000000040 R09: ffffc90000121000
[    0.521003] R10: 0000000000000001 R11: ffffc90000003ff8 R12: 000000000000000e
[    0.521322] R13: 0000000000000008 R14: ffff88810268cd42 R15: 0000000000000003
[    0.521617] FS:  00007d34bc6546c0(0000) GS:ffff888197ac5000(0000)
knlGS:0000000000000000
[    0.521964] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.522215] CR2: 00000000000000b0 CR3: 0000000102590003 CR4: 0000000000772ef0
[    0.522513] PKRU: 55555554
[    0.522632] Call Trace:
[    0.522747]  <IRQ>
[    0.522841]  bpf_prog_run_generic_xdp+0x39c/0x3b0
[    0.523057]  do_xdp_generic+0x1a0/0x350
[    0.523221]  __netif_receive_skb_core.constprop.0+0x5c6/0xce0
...
```

Thanks,
Xiang

Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()

[Ido Schimmel]

On Mon, Jun 22, 2026 at 04:34:06PM -0700, Xiang Mei wrote:
> On Mon, Jun 22, 2026 at 3:58 PM Jakub Kicinski <kuba@kernel.org> wrote:
> > Can you double-confirm that this triggers on current HEAD
> > of linux/master ? I thought commit 2674d603a9e6 ("vrf: Fix a potential
> > NPD when removing a port from a VRF") was supposed to prevent all the
> > torn master fetches. Adding VRF folks to CC.
> 
> Yes.
> 
> We have triggered the crash on 56abdaebbf0da304b860bed1f2b5a85f5a6a16a0,
> which is the latest for net.git, and 2674d603a9e6 was applied. We can
> still trigger the crash:

2674d603a9e6 was only for VRF ports, so it doesn't help with this case
(bond port). Also, the problem that 2674d603a9e6 fixed is a bit
different. We had a NULL check after netdev_master_upper_dev_get_rcu(),
but the issue was that this master device was not necessarily a VRF
master.

Looking at __bond_release_one(), assuming that
netdev_master_upper_dev_get_rcu() returned a master device, I believe it
must be a bond because you have a synchronize_rcu() after
bond_upper_dev_unlink().