cve/published/2025/CVE-2025-22105.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22105: bonding: check xdp prog when set bond mode

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bonding: check xdp prog when set bond mode

 Following operations can trigger a warning[1]:

     ip netns add ns1
     ip netns exec ns1 ip link add bond0 type bond mode balance-rr
     ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
     ip netns exec ns1 ip link set bond0 type bond mode broadcast
     ip netns del ns1

 When delete the namespace, dev_xdp_uninstall() is called to remove xdp
 program on bond dev, and bond_xdp_set() will check the bond mode. If bond
 mode is changed after attaching xdp program, the warning may occur.

 Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
 with xdp program attached is not good. Add check for xdp program when set
 bond mode.

     [1]
     ------------[ cut here ]------------
     WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
     Modules linked in:
     CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
     Workqueue: netns cleanup_net
     RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
     Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
     RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
     RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
     RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
     RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
     R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
     R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
     FS:  0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
     Call Trace:
      <TASK>
      ? __warn+0x83/0x130
      ? unregister_netdevice_many_notify+0x8d9/0x930
      ? report_bug+0x18e/0x1a0
      ? handle_bug+0x54/0x90
      ? exc_invalid_op+0x18/0x70
      ? asm_exc_invalid_op+0x1a/0x20
      ? unregister_netdevice_many_notify+0x8d9/0x930
      ? bond_net_exit_batch_rtnl+0x5c/0x90
      cleanup_net+0x237/0x3d0
      process_one_work+0x163/0x390
      worker_thread+0x293/0x3b0
      ? __pfx_worker_thread+0x10/0x10
      kthread+0xec/0x1e0
      ? __pfx_kthread+0x10/0x10
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x2f/0x50
      ? __pfx_kthread+0x10/0x10
      ret_from_fork_asm+0x1a/0x30
      </TASK>
     ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2025-22105 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e and fixed in 6.14.2 with commit 0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb
 	Issue introduced in 5.15 with commit 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e and fixed in 6.15 with commit 094ee6017ea09c11d6af187935a949df32803ce0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22105
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/bonding/bond_main.c
 	drivers/net/bonding/bond_options.c
 	include/net/bonding.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb
 	https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22105: bonding: check xdp prog when set bond mode

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bonding: check xdp prog when set bond mode

	Following operations can trigger a warning[1]:

	ip netns add ns1
	ip netns exec ns1 ip link add bond0 type bond mode balance-rr
	ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
	ip netns exec ns1 ip link set bond0 type bond mode broadcast
	ip netns del ns1

	When delete the namespace, dev_xdp_uninstall() is called to remove xdp
	program on bond dev, and bond_xdp_set() will check the bond mode. If bond
	mode is changed after attaching xdp program, the warning may occur.

	Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
	with xdp program attached is not good. Add check for xdp program when set
	bond mode.

	[1]
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
	Modules linked in:
	CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
	Workqueue: netns cleanup_net
	RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
	Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
	RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
	RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
	RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
	RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
	R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
	R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
	FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
	Call Trace:
	<TASK>
	? __warn+0x83/0x130
	? unregister_netdevice_many_notify+0x8d9/0x930
	? report_bug+0x18e/0x1a0
	? handle_bug+0x54/0x90
	? exc_invalid_op+0x18/0x70
	? asm_exc_invalid_op+0x1a/0x20
	? unregister_netdevice_many_notify+0x8d9/0x930
	? bond_net_exit_batch_rtnl+0x5c/0x90
	cleanup_net+0x237/0x3d0
	process_one_work+0x163/0x390
	worker_thread+0x293/0x3b0
	? __pfx_worker_thread+0x10/0x10
	kthread+0xec/0x1e0
	? __pfx_kthread+0x10/0x10
	? __pfx_kthread+0x10/0x10
	ret_from_fork+0x2f/0x50
	? __pfx_kthread+0x10/0x10
	ret_from_fork_asm+0x1a/0x30
	</TASK>
	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2025-22105 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e and fixed in 6.14.2 with commit 0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb
	Issue introduced in 5.15 with commit 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e and fixed in 6.15 with commit 094ee6017ea09c11d6af187935a949df32803ce0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22105
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/bonding/bond_main.c
	drivers/net/bonding/bond_options.c
	include/net/bonding.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb
	https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0