CVE-2026-23310

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded<br /> <br /> bond_option_mode_set() already rejects mode changes that would make a<br /> loaded XDP program incompatible via bond_xdp_check(). However,<br /> bond_option_xmit_hash_policy_set() has no such guard.<br /> <br /> For 802.3ad and balance-xor modes, bond_xdp_check() returns false when<br /> xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually<br /> absent due to hardware offload. This means a user can:<br /> <br /> 1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode<br /> with a compatible xmit_hash_policy (e.g. layer2+3).<br /> 2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.<br /> <br /> This leaves bond-&gt;xdp_prog set but bond_xdp_check() now returning false<br /> for the same device. When the bond is later destroyed, dev_xdp_uninstall()<br /> calls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits<br /> the bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:<br /> <br /> WARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))<br /> <br /> Fix this by rejecting xmit_hash_policy changes to vlan+srcmac when an<br /> XDP program is loaded on a bond in 802.3ad or balance-xor mode.<br /> <br /> commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP")<br /> introduced bond_xdp_check() which returns false for 802.3ad/balance-xor<br /> modes when xmit_hash_policy is vlan+srcmac. The check was wired into<br /> bond_xdp_set() to reject XDP attachment with an incompatible policy, but<br /> the symmetric path -- preventing xmit_hash_policy from being changed to an<br /> incompatible value after XDP is already loaded -- was left unguarded in<br /> bond_option_xmit_hash_policy_set().<br /> <br /> Note:<br /> commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode")<br /> later added a similar guard to bond_option_mode_set(), but<br /> bond_option_xmit_hash_policy_set() remained unprotected.