{"id":2227594,"url":"http://patchwork.ozlabs.org/api/patches/2227594/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260423204841.3528502-3-tim.whisonant@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260423204841.3528502-3-tim.whisonant@canonical.com>","list_archive_url":null,"date":"2026-04-23T20:48:38","name":"[SRU,Q,1/1] net: bonding: fix use-after-free in bond_xmit_broadcast()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f3fa4c4cbbf154fd5a4a9e8ea2cccec4a9e04bb0","submitter":{"id":89903,"url":"http://patchwork.ozlabs.org/api/people/89903/?format=json","name":"Tim Whisonant","email":"tim.whisonant@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260423204841.3528502-3-tim.whisonant@canonical.com/mbox/","series":[{"id":501241,"url":"http://patchwork.ozlabs.org/api/series/501241/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=501241","date":"2026-04-23T20:48:36","name":"CVE-2026-31419","version":1,"mbox":"http://patchwork.ozlabs.org/series/501241/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2227594/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2227594/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=lBx22Oc+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1wqc5r37z1yJF\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 11:49:16 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wG5fK-0007G1-36; Fri, 24 Apr 2026 01:49:10 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <tim.whisonant@canonical.com>)\n id 1wG0yj-0005Yo-V8\n for kernel-team@lists.ubuntu.com; Thu, 23 Apr 2026 20:48:54 +0000","from mail-ot1-f70.google.com (mail-ot1-f70.google.com\n [209.85.210.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 142A83FEB7\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 20:48:53 +0000 (UTC)","by mail-ot1-f70.google.com with SMTP id\n 46e09a7af769-7dcc5fa38faso8122269a34.1\n for <kernel-team@lists.ubuntu.com>; Thu, 23 Apr 2026 13:48:53 -0700 (PDT)","from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 46e09a7af769-7dce6a9405asm5540360a34.5.2026.04.23.13.48.50\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 23 Apr 2026 13:48:50 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1776977333;\n bh=IL/M50hXrW5nl3VeSER38LSoaNyeOD93j0d0jN7E8o0=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=lBx22Oc+5Pv0dAGw4e/0GrHthCQkqIwEK913xZKj1BzzyQ44tzgYMU5BdmlWGfVlV\n tGO9nmWsEWHYurBAVsO2+iVr5WG9osX90D+pJ8toXciuxTNvsfk7a4keToXoP9WlO7\n 4Ni2rJbbWC1O0IyRZAZn1fEXxEfw2H2ypprsChwS64o5p6XZSNu+tk/da0h2DBS2uy\n p83TaFynMnEkm0YGmJRFEV2iUrQtzSvmuMkJh7ZIH93AakoGe4IY9Uhh/6IK1vd5IN\n fETkjjlOYVXibhwyyBt1INxFfLt0R5tXq5tAh2yceRepyWIMSzaC5ouRZF5L11FhuD\n wWi2eBUIuhq/BNou7OTtzpYiGSyQV1RcVV1diYik8XGBKcX9Ru4FMgoYckRMU+qYJ2\n bobfi1m513JxKRXteuqJeKDFd2GHtWuQTSZJuZDlWypofUllQA7XLnzro958wgvXiL\n n4X9Kd+s9eChQ856EfTDGma0nHY8MKyKgfoaDia90iuXZHC+XQsBDJ5cMzcfmKMDIm\n EBXjW472rcjSYE0MOdgNC0PehdGj4SflWrh5vKdUitTdj0HHIAcZmHyHckuAMV3O+0\n JR6DtA3GOmCdZpnSA1pbzyikRLZUh9MbbmRo2G1dXMUY9iOmH1a5unozETUjAQNftz\n dZmaFd36dUPvGBdmwAHN2MJw=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776977331; x=1777582131;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=IL/M50hXrW5nl3VeSER38LSoaNyeOD93j0d0jN7E8o0=;\n b=Alc/P5Vc0GeJDbAftCH2yT0fVVZs4XT2MiFNW8YMn5BsO9HAH5IqkhzO+Hdhm/dzCe\n 9uMtksL0H/YcvGYCAGwVVgvHqMs5m7rgj+tHtgu0WfXM2tqpaL4T61bFFrq9BFpz+SaF\n p9RDxOLtoJAfza7HSCvABEcdaKXWt5FBuNlrChgcvdV33H9Fvujqk/v+tcxImAQ0c7Xj\n LDcwgUJTxr0bzUE67Fs02/olEE4X+ooH4cCjNlQq/6zH3e8wJ28gkAllaEpgEhgh/XrT\n a2qcNZ6BhyzxfpahbWF5EbkOGl0DW1K2sX5IBytJir4Cy1DJnQqWCmljTjVFUUV1aIl2\n OdsA==","X-Gm-Message-State":"AOJu0YwWEt7PgE79zxJFimXVuVAOBI6iHeHxy0LHBLJe0OQHEi7qR00a\n ZQWTVMEv77i8hdE1xPL/6xuHlYIIfmKxnEClR+nOFofnujw5GqWMtYPRD5w3YmUUyv5qtmMMINz\n upaCRcddUahZ5FIRTTX6luaN48E+hbGUxLbF7+68Gcm4jqUOK6NMpYhUGZcQJbYQ8xw/GWtGIRy\n tZTIZqE1BLdU2rpw==","X-Gm-Gg":"AeBDiesMrXcFw3G49P5PQPSScXPdO95um2tYOjgDhylS1Tus0oPKecYZflXWw1jRBxP\n 1aX/kkflQgmaDiq4awzc6escqhCDXdH/XAahYxvm+qH1QCMWgwZIx7BRnaJPMjkUTNK067lHK3+\n n3hYLzLFGQvyO9QW1qwDtHlIcKtpVWd5fbkwYGmU7fy/nYohV2nrBScpm5yrwFtiK2BBnTxCTPw\n o0HyO1DgJupnrVkjAGnIZNuJgM4T06VJt2FFJyCJuX8RrjEP4ebUWQF57S1gck+VRQv1qNuAcku\n ejVf7N5rvBi/ETgYBQpyRECxuQIPNbMN7+rEziPUsBgTe20ZLoc2RklQIr2puWE4qtGWjfo8TYt\n YflpDem340YNG1QVdBp2KFBS4WZvDgJ4+RqPFKoPA6tAVWxRXRkJs17E/4UWGG40fAFSC3Q4567\n AOpN3TO7ep2Xq7","X-Received":["by 2002:a05:6830:8496:b0:7dc:c301:d0b7 with SMTP id\n 46e09a7af769-7dcc301e1a6mr10547924a34.28.1776977331392;\n Thu, 23 Apr 2026 13:48:51 -0700 (PDT)","by 2002:a05:6830:8496:b0:7dc:c301:d0b7 with SMTP id\n 46e09a7af769-7dcc301e1a6mr10547913a34.28.1776977330957;\n Thu, 23 Apr 2026 13:48:50 -0700 (PDT)"],"From":"Tim Whisonant <tim.whisonant@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][Q][PATCH 1/1] net: bonding: fix use-after-free in\n bond_xmit_broadcast()","Date":"Thu, 23 Apr 2026 13:48:38 -0700","Message-ID":"<20260423204841.3528502-3-tim.whisonant@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260423204841.3528502-1-tim.whisonant@canonical.com>","References":"<20260423204841.3528502-1-tim.whisonant@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Xiang Mei <xmei5@asu.edu>\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop.  This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n\nFixes: 4e5bd03ae346 (\"net: bonding: fix bond_xmit_broadcast return value error bug\")\nReported-by: Weiming Shi <bestswngs@gmail.com>\nSigned-off-by: Xiang Mei <xmei5@asu.edu>\nLink: https://patch.msgid.link/20260326075553.3960562-1-xmei5@asu.edu\nSigned-off-by: Paolo Abeni <pabeni@redhat.com>\n(cherry picked from commit 2884bf72fb8f03409e423397319205de48adca16)\nCVE-2026-31419\nSigned-off-by: Tim Whisonant <tim.whisonant@canonical.com>\n---\n drivers/net/bonding/bond_main.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c\nindex e74a1fd34724a..90ea088db6c8e 100644\n--- a/drivers/net/bonding/bond_main.c\n+++ b/drivers/net/bonding/bond_main.c\n@@ -5409,7 +5409,7 @@ static netdev_tx_t bond_xmit_broadcast(struct sk_buff *skb,\n \t\tif (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP))\n \t\t\tcontinue;\n \n-\t\tif (bond_is_last_slave(bond, slave)) {\n+\t\tif (i + 1 == slaves_count) {\n \t\t\tskb2 = skb;\n \t\t\tskb_used = true;\n \t\t} else {\n","prefixes":["SRU","Q","1/1"]}