Linux Kernel Bonding Driver XDP Program Mode Conflict Vulnerability

A vulnerability exists in the Linux kernel's bonding driver related to the handling of XDP (eXpress Data Path) programs when changing bond modes. The issue arises because certain bond modes, such as broadcast, do not support native XDP. When an XDP program is attached to a bond interface and the bond mode is subsequently changed to a mode that does not support XDP, a warning is triggered. This vulnerability can be reproduced by creating a network namespace, adding a bonded interface with an XDP program attached, and then changing the bond mode to broadcast before deleting the namespace, which removes the XDP program but can cause a conflict due to the unsupported mode.

Impact

The vulnerability can lead to a warning being triggered during the network namespace cleanup process, indicating a conflict between the attached XDP program and the current bond mode.

Reproduction

To reproduce this vulnerability, first create a new network namespace. Then, within that namespace, create a bonded interface (bond0) and set its mode to 'balance-rr'. After that, attach an XDP program to the bond interface. Next, change the bond mode to 'broadcast', which is incompatible with the attached XDP program. Finally, delete the network namespace. During the cleanup process, a warning will be triggered, indicating that the bond mode change has caused a conflict with the XDP program.

Remediation

The vulnerability has been addressed in the Linux kernel by adding a check for attached XDP programs before allowing a change to certain bond modes that do not support XDP.