From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Ido Schimmel <idosch@nvidia.com>, Xiang Mei <xmei5@asu.edu>
Cc: Jakub Kicinski <kuba@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
Jesper Dangaard Brouer <hawk@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Alexei Starovoitov <ast@kernel.org>,
Jussi Maki <joamaki@gmail.com>, Paolo Abeni <pabeni@redhat.com>,
Weiming Shi <bestswngs@gmail.com>,
Ido Schimmel <idosch@idosch.org>, David Ahern <dsahern@gmail.com>
Subject: Re: [PATCH net] net, bpf: check master for NULL in xdp_master_redirect()
Date: Tue, 23 Jun 2026 18:08:19 +0800 [thread overview]
Message-ID: <3953e554-9bc4-419e-ac9f-aea3b9fd7b80@linux.dev> (raw)
In-Reply-To: <20260623065218.GA378121@shredder>
On 6/23/26 2:52 PM, Ido Schimmel wrote:
> On Mon, Jun 22, 2026 at 04:34:06PM -0700, Xiang Mei wrote:
>> On Mon, Jun 22, 2026 at 3:58 PM Jakub Kicinski <kuba@kernel.org> wrote:
>>> Can you double-confirm that this triggers on current HEAD
>>> of linux/master ? I thought commit 2674d603a9e6 ("vrf: Fix a potential
>>> NPD when removing a port from a VRF") was supposed to prevent all the
>>> torn master fetches. Adding VRF folks to CC.
>> Yes.
>>
>> We have triggered the crash on 56abdaebbf0da304b860bed1f2b5a85f5a6a16a0,
>> which is the latest for net.git, and 2674d603a9e6 was applied. We can
>> still trigger the crash:
> 2674d603a9e6 was only for VRF ports, so it doesn't help with this case
> (bond port). Also, the problem that 2674d603a9e6 fixed is a bit
> different. We had a NULL check after netdev_master_upper_dev_get_rcu(),
> but the issue was that this master device was not necessarily a VRF
> master.
Agree, it seems that 2674d603a9e6 only focus on VRF side.
>
> Looking at __bond_release_one(), assuming that
> netdev_master_upper_dev_get_rcu() returned a master device, I believe it
> must be a bond because you have a synchronize_rcu() after
> bond_upper_dev_unlink().
Right, synchronize_rcu() only guarantees that the master device is not freed
while our RCU reader is operating on it, but it does not guarantee that
we can successfully acquire the master device. We still need NULL check
here.
prev parent reply other threads:[~2026-06-23 10:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 20:15 [PATCH net] net, bpf: check master for NULL in xdp_master_redirect() Xiang Mei
2026-06-22 1:21 ` Jiayuan Chen
2026-06-22 1:28 ` Xiang Mei
2026-06-22 22:58 ` Jakub Kicinski
2026-06-22 23:34 ` Xiang Mei
2026-06-23 6:52 ` Ido Schimmel
2026-06-23 10:08 ` Jiayuan Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3953e554-9bc4-419e-ac9f-aea3b9fd7b80@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=ast@kernel.org \
--cc=bestswngs@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dsahern@gmail.com \
--cc=hawk@kernel.org \
--cc=idosch@idosch.org \
--cc=idosch@nvidia.com \
--cc=joamaki@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox