]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1231623)
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
authorZhaoJinming <zhaojinming@uniontech.com>
Mon, 1 Jun 2026 08:56:49 +0000 (16:56 +0800)
committerPaolo Abeni <pabeni@redhat.com>
Thu, 4 Jun 2026 09:38:51 +0000 (11:38 +0200)
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:

    slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
    slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
    if (!slave_dev)
        return -ENODEV;

The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.

This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.

Fix by moving the slave_dbg() call after the NULL check.

Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/net/bonding/bond_main.c patch | blob | blame | history

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 82e779f7916b56db4349905e7171d140d1f68862..8e75453ce0efd13931c8214dd4281f1f296f0fc3 100644 (file)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4621,11 +4621,11 @@ static int bond_do_ioctl(struct net_device *bond_dev, struct ifreq *ifr, int cmd
 
        slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
 
-       slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
-
        if (!slave_dev)
                return -ENODEV;
 
+       slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+
        switch (cmd) {
        case SIOCBONDENSLAVE:
                res = bond_enslave(bond_dev, slave_dev, NULL);
A mirror of Linus' kernel repository