From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8535175A9A for ; Wed, 6 May 2026 13:38:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778074713; cv=none; b=AVXx2a0022UMfUraTyfQeunIPAEIATtp+cnom4lHr5cHhZ8NBNw1I/VEIStk9Yj9MueOqfVGA7MX9VvIYOpUAiuzt4v+2aMbw9tOWL6o3dqUIqOOcGNNbezJtMA9bO95NsmbkEJrMsa3MnxFVLpWRWgfHMXC+WDgqDJwXj/zVoI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778074713; c=relaxed/simple; bh=v+eHvtlLcvdYGhAQ4S9pzXzY8SyPJ+o4PD6rPpGH5zY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=VX8UjLLl9oLsk648y8ul7LIWWgAw/RCJ+pmm0GGPd3dhA+VsK40n5Ei4g+tGH5wkJHx2mte/KRxRjsRZY3p620jOgwosjZGlYkVSaoRBLopRoaSZk0YUer7NTt5eiqWiO77Yk2/xgWIK2KbD28oXEkn594VLGNJtn0gBfohAA5Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=I5G8tCJF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="I5G8tCJF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EBFDC2BCB8; Wed, 6 May 2026 13:38:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778074713; bh=v+eHvtlLcvdYGhAQ4S9pzXzY8SyPJ+o4PD6rPpGH5zY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=I5G8tCJF/aAXawEqHZQLB8g5U+OltgB0WiVhyaxKwBoKNtm9SZK95a8l99zJnlYSQ xXOEaXUxVlVu/jktCnot50yRwC7/oiua5gggygTk0MCPocEIJHxLps4v85P4yNKCeS XfOtSfAicLoDtf1+zqo68eQOtTlBGErHNTeXWbBQ= Date: Wed, 6 May 2026 15:38:30 +0200 From: Greg KH To: Yunseong Kim Cc: stable@vger.kernel.org, sashal@kernel.org, Nikolay Aleksandrov , Chen Zhen , Jussi Maki , Daniel Borkmann , Paolo Abeni , ysk@kzalloc.com, 42.4.sejin@gmail.com Subject: Re: [PATCH 6.1.y v2] bonding: fix use-after-free due to enslave fail after slave array update Message-ID: <2026050615-quality-zit-9270@gregkh> References: <20260506131319.525949-2-yunseong.kim@est.tech> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260506131319.525949-2-yunseong.kim@est.tech> On Wed, May 06, 2026 at 03:13:20PM +0200, Yunseong Kim wrote: > From: Nikolay Aleksandrov > > [ Upstream commit e9acda52fd2ee0cdca332f996da7a95c5fd25294 ] > > Fix a use-after-free which happens due to enslave failure after the new > slave has been added to the array. Since the new slave can be used for Tx > immediately, we can use it after it has been freed by the enslave error > cleanup path which frees the allocated slave memory. Slave update array is > supposed to be called last when further enslave failures are not expected. > Move it after xdp setup to avoid any problems. > > It is very easy to reproduce the problem with a simple xdp_pass prog: > ip l add bond1 type bond mode balance-xor > ip l set bond1 up > ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass > ip l add dumdum type dummy > > Then run in parallel: > while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done; > mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" > > The crash happens almost immediately: > [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI > [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf] > [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary) > [ 605.602979] Tainted: [B]=BAD_PAGE > [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210 > [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89 > [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213 > [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000 > [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be > [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c > [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000 > [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84 > [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000 > [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0 > [ 605.603373] Call Trace: > [ 605.603392] > [ 605.603410] __dev_queue_xmit+0x448/0x32a0 > [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10 > [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10 > [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10 > [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding] > [ 605.603546] ? _printk+0xcb/0x100 > [ 605.603566] ? __pfx__printk+0x10/0x10 > [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding] > [ 605.603627] ? add_taint+0x5e/0x70 > [ 605.603648] ? add_taint+0x2a/0x70 > [ 605.603670] ? end_report.cold+0x51/0x75 > [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding] > [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding] > > Backport commit: > > commit e0caeb24f538 ("net: bonding: update the slave array for broadcast mode") > > The BOND_MODE_BROADCAST condition was removed. Because introduced by > supporting commit on the v6.17-rc1: > > commit ce7a381697cb ("net: bonding: add broadcast_neighbor option for 802.3ad") > > Neither of which are present in this kernel version. > > Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver") > Signed-off-by: Nikolay Aleksandrov > Reported-by: Chen Zhen > Closes: https://lore.kernel.org/netdev/fae17c21-4940-5605-85b2-1d5e17342358@huawei.com/ > CC: Jussi Maki > CC: Daniel Borkmann > Acked-by: Daniel Borkmann > Link: https://patch.msgid.link/20260123120659.571187-1-razor@blackwall.org > Signed-off-by: Paolo Abeni > Signed-off-by: Sasha Levin > Tested-by: Yunseong Kim > Signed-off-by: Yunseong Kim > --- > drivers/net/bonding/bond_main.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) What changed from v1?