APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-31419

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 8 15:15:51 UTC 2026 

Applied to J/N/Q:linux/master-next. Thanks.

On 4/23/26 22:48, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net: bonding: fix use-after-free in bond_xmit_broadcast()
>
> bond_xmit_broadcast() reuses the original skb for the last slave
> (determined by bond_is_last_slave()) and clones it for others.
> Concurrent slave enslave/release can mutate the slave list during
> RCU-protected iteration, changing which slave is "last" mid-loop.
> This causes the original skb to be double-consumed (double-freed).
>
> Replace the racy bond_is_last_slave() check with a simple index
> comparison (i + 1 == slaves_count) against the pre-snapshot slave
> count taken via READ_ONCE() before the loop.  This preserves the
> zero-copy optimization for the last slave while making the "last"
> determination stable against concurrent list mutations.
>
> The UAF can trigger the following crash:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in skb_clone
> Read of size 8 at addr ffff888100ef8d40 by task exploit/147
>
> CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY
> Call Trace:
>   <TASK>
>   dump_stack_lvl (lib/dump_stack.c:123)
>   print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
>   kasan_report (mm/kasan/report.c:597)
>   skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)
>   bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)
>   bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)
>   dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)
>   __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)
>   ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
>   ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)
>   ip6_output (net/ipv6/ip6_output.c:250)
>   ip6_send_skb (net/ipv6/ip6_output.c:1985)
>   udp_v6_send_skb (net/ipv6/udp.c:1442)
>   udpv6_sendmsg (net/ipv6/udp.c:1733)
>   __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)
>   __x64_sys_sendto (net/socket.c:2209)
>   do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
>   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>   </TASK>
>
> Allocated by task 147:
>
> Freed by task 147:
>
> The buggy address belongs to the object at ffff888100ef8c80
>   which belongs to the cache skbuff_head_cache of size 224
> The buggy address is located 192 bytes inside of
>   freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)
>
> Memory state around the buggy address:
>   ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>   ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>                                                      ^
>   ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>   ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> [Fix]
>
> Questing: cherry picked from upstream
> Noble:    applied Jammy patch
> Jammy:    backported from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the network bonding driver's broadcast
> mechanism. Issues might appear as missed messages or
> duplicated messages to network interfaces.
>
> Xiang Mei (1):
>    net: bonding: fix use-after-free in bond_xmit_broadcast()
>
>   drivers/net/bonding/bond_main.c | 12 ++++++++----
>   1 file changed, 8 insertions(+), 4 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/0bd795e4/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260508/0bd795e4/attachment.sig>

More information about the kernel-team mailing list