From: Greg KH <gregkh@linuxfoundation.org>
To: Chenglong Tang <chenglongtang@google.com>
Cc: stable@vger.kernel.org, xmei5@asu.edu, pabeni@redhat.com,
sashal@kernel.org, Kevin Berry <kpberry@google.com>,
Lee Jones <joneslee@google.com>
Subject: Re: [PATCH 6.12.y] net: bonding: fix use-after-free in bond_xmit_broadcast()
Date: Mon, 13 Apr 2026 13:51:12 +0200 [thread overview]
Message-ID: <2026041300-devotee-glowworm-db70@gregkh> (raw)
In-Reply-To: <CAOdxtTZ7=S=oEK1TPHoXWtw9V6=QWh5Jygad_-SjtF66_vv-cQ@mail.gmail.com>
On Fri, Apr 10, 2026 at 02:09:42PM -0700, Chenglong Tang wrote:
> commit 2884bf72fb8f03409e423397319205de48adca16 upstream.
>
> bond_xmit_broadcast() reuses the original skb for the last slave
> (determined by bond_is_last_slave()) and clones it for others.
> Concurrent slave enslave/release can mutate the slave list during
> RCU-protected iteration, changing which slave is "last" mid-loop. This
> causes the original skb to be double-consumed (double-freed).
>
> Replace the racy bond_is_last_slave() check with a simple index
> comparison (i + 1 == slaves_count) against the pre-snapshot slave
> count taken via READ_ONCE() before the loop. This preserves the
> zero-copy optimization for the last slave while making the "last"
> determination stable against concurrent list mutations.
>
> The UAF can trigger the following crash:
> ==================================================================
> BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr
> ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm:
> exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK>
> dump_stack_lvl (lib/dump_stack.c:123) print_report
> (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report
> (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724
> include/linux/skbuff.h:1792 include/linux/skbuff.h:3396
> net/core/skbuff.c:2108) bond_xmit_broadcast
> (drivers/net/bonding/bond_main.c:5334) bond_start_xmit
> (drivers/net/bonding/bond_main.c:5567
> drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit
> (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334
> net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit
> (include/linux/netdevice.h:3601 net/core/dev.c:4838)
> ip6_finish_output2 (include/net/neighbour.h:540
> include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
> ip6_finish_output (net/ipv6/ip6_output.c:208
> net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250)
> ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb
> (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto
> (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto
> (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63
> arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe
> (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed
> by task 147: The buggy address belongs to the object at
> ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size
> 224 The buggy address is located 192 bytes inside of freed 224-byte
> region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the
> buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc
> fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc
> fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
> fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Fixes: 4e5bd03ae346 ("net: bonding: fix bond_xmit_broadcast return
> value error bug")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> [Kevin Berry <kpberry@google.com>: fixed merge conflicts and adapted
> to 6.12 struct]
> Signed-off-by: Chenglong Tang <chenglongtang@google.com>
>
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 2ac455a9d1bb..fb8d7fec27ee 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -5346,23 +5346,33 @@ static netdev_tx_t bond_3ad_xor_xmit(struct
> sk_buff *skb,
> return bond_tx_drop(dev, skb);
> }
> -/* in broadcast mode, we send everything to all usable interfaces. */
> +/* in broadcast mode, we send everything to all or usable slave interfaces.
> + * under rcu_read_lock when this function is called.
> + */
This is totally corrupted and can not be applied :(
next prev parent reply other threads:[~2026-04-13 11:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 21:09 [PATCH 6.12.y] net: bonding: fix use-after-free in bond_xmit_broadcast() Chenglong Tang
2026-04-13 11:51 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-13 21:34 Chenglong Tang
2026-04-13 21:54 ` Xiang Mei
2026-04-27 18:42 ` Kevin Berry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026041300-devotee-glowworm-db70@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=chenglongtang@google.com \
--cc=joneslee@google.com \
--cc=kpberry@google.com \
--cc=pabeni@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.