From: Hangbin Liu <liuhangbin@gmail.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org, Jay Vosburgh <jv@jvosburgh.net>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jiri Bohac <jbohac@suse.cz>,
Liang Li <liali@redhat.com>,
Nikolay Aleksandrov <nikolay@nvidia.com>
Subject: Re: [PATCHv2 net] bonding: alb: fix UAF in rlb_arp_recv during bond up/down
Date: Thu, 19 Feb 2026 13:39:42 +0000 [thread overview]
Message-ID: <aZcSnpcDrIWogpb8@fedora> (raw)
In-Reply-To: <aZcRS0cUsAOgktMf@fedora>
On Thu, Feb 19, 2026 at 01:34:10PM +0000, Hangbin Liu wrote:
> On Wed, Feb 18, 2026 at 04:11:10PM -0800, Jakub Kicinski wrote:
> > On Wed, 18 Feb 2026 04:36:24 +0000 Hangbin Liu wrote:
> > > On Tue, Feb 17, 2026 at 04:43:55PM -0800, Jakub Kicinski wrote:
> > > > On Sat, 14 Feb 2026 09:15:41 +0000 Hangbin Liu wrote:
> > > > > Fixes: e53665c6eaa6 ("bonding: delete migrated IP addresses from the rlb hash table")
> > > >
> > > > Ah, also AI says the issue existed already in
> > > > 3aba891dde38 ("bonding: move processing of recv handlers into
> > > > handle_frame()")
> > > > not the exact trapping instruction but the hash table was used from
> > > > recv_probe so at least a UAF would happen.
> > >
> > > Not sure if I understand correctly. Do you mean we still able to access
> > > rlb_arp_recv() after setting recv_probe to NULL?
> >
> > Simply put -- wasn't there a case where rx_hashtbl was accessed after
> > being freed in 3aba891dde38 already? That commit is a year and a half
> > older than the commit you had under Fixes.
>
> AFAIK, the UAF/null-ptr-deref issue for rx_hashtble is introduced by
> 53665c6eaa6 ("bonding: delete migrated IP addresses from the rlb hash table"),
> which added rlb_purge_src_ip() in rlb_arp_recv().
>
> In 3aba891dde38 ("bonding: move processing of recv handlers into handle_frame()")
> it only let other CPU still able to access rlb_arp_recv() after we set recv_probe
> to NULL. But it doesn't trigger a null-ptr-deref.
Oh, I remember now. rlb_arp_recv() also calls rlb_update_entry_from_arp(),
which could access rx_hashtbl. You are right, the fixes tag should be
3aba891dde38 ("bonding: move processing of recv handlers into handle_frame()")
Thanks
Hangbin
prev parent reply other threads:[~2026-02-19 13:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-14 9:15 [PATCHv2 net] bonding: alb: fix UAF in rlb_arp_recv during bond up/down Hangbin Liu
2026-02-14 20:49 ` Jay Vosburgh
2026-02-18 0:42 ` Jakub Kicinski
2026-02-18 0:43 ` Jakub Kicinski
2026-02-18 4:36 ` Hangbin Liu
2026-02-19 0:11 ` Jakub Kicinski
2026-02-19 13:34 ` Hangbin Liu
2026-02-19 13:39 ` Hangbin Liu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZcSnpcDrIWogpb8@fedora \
--to=liuhangbin@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jbohac@suse.cz \
--cc=jv@jvosburgh.net \
--cc=kuba@kernel.org \
--cc=liali@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@nvidia.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.