CVE-2026-23310

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded

bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard.

For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can:

  1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode with a compatible xmit_hash_policy (e.g. layer2+3).
  2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.

This leaves bond->xdp_prog set but bond_xdp_check() now returning false for the same device. When the bond is later destroyed, dev_xdp_uninstall() calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:

WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))

Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode.

commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond_xdp_check() which returns false for 802.3ad/balance-xor modes when xmit_hash_policy is vlan+srcmac. The check was wired into bond_xdp_set() to reject XDP attachment with an incompatible policy, but the symmetric path – preventing xmit_hash_policy from being changed to an incompatible value after XDP is already loaded – was left unguarded in bond_option_xmit_hash_policy_set().

Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond_option_mode_set(), but bond_option_xmit_hash_policy_set() remained unprotected.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < 0a80e6ecaf669c77260b44254f4a84d76bf83e89affected
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < 5c262bd0e39320a6d6c8277cb8349ce21c01b8c1affected
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < d36ad7e126c6a0c5f699583309ccc37e3a3263eaaffected
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < 0ace8027e41f6f094ef6c1aca42d2ed6cd7af54eaffected
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < e85fa809e507b9d8eff4840888b8c727e4e8448caffected
LinuxLinux39a0876d595bd7c7512782dfcce0ee66f65bf221 < 479d589b40b836442bbdadc3fdb37f001bb67f26affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References