Commit e1f746f6 authored Oct 14, 2024 by Nikolay Aleksandrov Committed by Dong Chenchen Oct 14, 2024

bonding: fix null pointer deref in bond_ipsec_offload_ok

stable inclusion
from stable-v5.10.225
commit 81216b9352be43f8958092d379f6dec85443c309
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZB
CVE: CVE-2024-44990

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=81216b9352be43f8958092d379f6dec85443c309



--------------------------------

[ Upstream commit 95c90e4ad89d493a7a14fa200082e466e2548f9d ]

We must check if there is an active slave before dereferencing the pointer.

Fixes: 18cb261a ("bonding: support hardware encryption offload to slaves")
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent b019fa32

drivers/net/bonding/bond_main.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -576,6 +576,8 @@ static bool bond_ipsec_offload_ok(struct sk_buff skb, struct xfrm_state xs)
		bond = netdev_priv(bond_dev);
		rcu_read_lock();
		curr_active = rcu_dereference(bond->curr_active_slave);
		if (!curr_active)
		goto out;
		real_dev = curr_active->dev;

		if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)