CVE-2026-53069

In the Linux kernel, the following vulnerability has been resolved:

net, bpf: fix null-ptr-deref in xdp master redirect() for down master

syzkaller reported a kernel panic in bond rr gen slave id() reached via xdp master redirect(). Full decoded trace:

bond rr gen slave id() dereferences bond->rr tx counter, a per-CPU counter that bonding only allocates in bond open() when the mode is round-robin. If the bond device was never brought up, rr tx counter stays NULL.

The XDP redirect path can still reach that code on a bond that was never opened: bpf master redirect enabled key is a global static key, so as soon as any bond device has native XDP attached, the XDP TX -> xdp master redirect() interception is enabled for every slave system-wide. The path xdp master redirect() -> bond xdp get xmit slave() -> bond xdp xmit roundrobin slave get() -> bond rr gen slave id() then runs against a bond that has no rr tx counter and crashes.

Fix this in the generic xdp master redirect() by refusing to call into the master's ->ndo xdp get xmit slave() when the master device is not up. IFF UP is only set after ->ndo open() has successfully returned, so this reliably excludes masters whose XDP state has not been fully initialized. Drop the frame with XDP ABORTED so the exception is visible via trace xdp exception() rather than silently falling through. This is not specific to bonding: any current or future master that defers XDP state allocation to ->ndo open() is protected.