From: Greg KH <gregkh@linuxfoundation.org>
To: Chenglong Tang <chenglongtang@google.com>
Cc: stable@vger.kernel.org, xmei5@asu.edu, pabeni@redhat.com,
sashal@kernel.org, Kevin Berry <kpberry@google.com>,
Lee Jones <joneslee@google.com>
Subject: Re: [PATCH 6.12.y] net: bonding: fix use-after-free in bond_xmit_broadcast()
Date: Mon, 13 Apr 2026 13:51:12 +0200 [thread overview]
Message-ID: <2026041300-devotee-glowworm-db70@gregkh> (raw)
In-Reply-To: <CAOdxtTZ7=S=oEK1TPHoXWtw9V6=QWh5Jygad_-SjtF66_vv-cQ@mail.gmail.com>
On Fri, Apr 10, 2026 at 02:09:42PM -0700, Chenglong Tang wrote:
> commit 2884bf72fb8f03409e423397319205de48adca16 upstream.
>
> bond_xmit_broadcast() reuses the original skb for the last slave
> (determined by bond_is_last_slave()) and clones it for others.
> Concurrent slave enslave/release can mutate the slave list during
> RCU-protected iteration, changing which slave is "last" mid-loop. This
> causes the original skb to be double-consumed (double-freed).
>
> Replace the racy bond_is_last_slave() check with a simple index
> comparison (i + 1 == slaves_count) against the pre-snapshot slave
> count taken via READ_ONCE() before the loop. This preserves the
> zero-copy optimization for the last slave while making the "last"
> determination stable against concurrent list mutations.
>
> The UAF can trigger the following crash:
> ==================================================================
> BUG: KASAN: slab-use-after-free in skb_clone Read of size 8 at addr
> ffff888100ef8d40 by task exploit/147 CPU: 1 UID: 0 PID: 147 Comm:
> exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY Call Trace: <TASK>
> dump_stack_lvl (lib/dump_stack.c:123) print_report
> (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report
> (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724
> include/linux/skbuff.h:1792 include/linux/skbuff.h:3396
> net/core/skbuff.c:2108) bond_xmit_broadcast
> (drivers/net/bonding/bond_main.c:5334) bond_start_xmit
> (drivers/net/bonding/bond_main.c:5567
> drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit
> (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334
> net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit
> (include/linux/netdevice.h:3601 net/core/dev.c:4838)
> ip6_finish_output2 (include/net/neighbour.h:540
> include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
> ip6_finish_output (net/ipv6/ip6_output.c:208
> net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250)
> ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb
> (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto
> (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto
> (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63
> arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe
> (arch/x86/entry/entry_64.S:130) </TASK> Allocated by task 147: Freed
> by task 147: The buggy address belongs to the object at
> ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size
> 224 The buggy address is located 192 bytes inside of freed 224-byte
> region [ffff888100ef8c80, ffff888100ef8d60) Memory state around the
> buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc
> fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb >ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc
> fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
> fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Fixes: 4e5bd03ae346 ("net: bonding: fix bond_xmit_broadcast return
> value error bug")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> [Kevin Berry <kpberry@google.com>: fixed merge conflicts and adapted
> to 6.12 struct]
> Signed-off-by: Chenglong Tang <chenglongtang@google.com>
>
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 2ac455a9d1bb..fb8d7fec27ee 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -5346,23 +5346,33 @@ static netdev_tx_t bond_3ad_xor_xmit(struct
> sk_buff *skb,
> return bond_tx_drop(dev, skb);
> }
> -/* in broadcast mode, we send everything to all usable interfaces. */
> +/* in broadcast mode, we send everything to all or usable slave interfaces.
> + * under rcu_read_lock when this function is called.
> + */
This is totally corrupted and can not be applied :(
next prev parent reply other threads:[~2026-04-13 11:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 21:09 [PATCH 6.12.y] net: bonding: fix use-after-free in bond_xmit_broadcast() Chenglong Tang
2026-04-13 11:51 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-13 21:34 Chenglong Tang
2026-04-13 21:54 ` Xiang Mei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026041300-devotee-glowworm-db70@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=chenglongtang@google.com \
--cc=joneslee@google.com \
--cc=kpberry@google.com \
--cc=pabeni@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox