CVE-2026-45970 in Linux
Сводка
по VulDB • 31.05.2026
Based on the kernel log and the description provided, this is a **use-after-free race condition** in the Linux kernel's bonding driver (specifically the `RLB` - Receive Load Balancing mode).
### Problem Analysis
1. **Race Condition**: * `rlb_deinitialize()` frees the `rx_hashtbl` (receive hash table). * Concurrently, `rlb_arp_recv()` (triggered by ARP packets) may still be accessing `rx_hashtbl`. * This leads to a kernel panic/oops when `rlb_arp_recv()` dereferences the freed memory.
2. **Trigger**: * Repeatedly bringing the bond interface up/down (`ip link set bond0 up/down`) while ARP traffic is active.
3. **Root Cause**: * The `recv_probe` callback in the bonding driver is not properly synchronized with the cleanup routine. Even if `recv_probe` is set to `NULL`, there might be pending softirqs or NAPI poll contexts that are still executing the old handler.
### Solution
The fix involves ensuring that **all** pending network receive processing is completed before freeing the `rx_hashtbl`. This is achieved by:
1. Setting `recv_probe` to `NULL` to prevent new ARP packets from being processed by the RLB handler. 2. Calling `synchronize_net()` to wait for all currently running NAPI poll contexts and softirqs to finish.
### Patch Implementation
Here is the typical fix applied to the Linux kernel bonding driver (`drivers/net/bonding/bond_alb.c`):
```c static void bond_alb_deinitialize(struct bonding *bond) {
struct slave *slave; struct list_head *iter; int i;
// ... existing code ...
/* Disable RLB */ bond->alb_info.rlb_enabled = 0;
/* * Fix: Ensure no concurrent RX processing is accessing rx_hashtbl. * Set recv_probe to NULL first to prevent new ARP packets from * triggering rlb_arp_recv(). */ bond->recv_probe = NULL;
/* * Wait for all pending NAPI poll contexts and softirqs to complete. * This ensures that any in-flight rlb_arp_recv() calls have finished * before we free rx_hashtbl. */ synchronize_net();
/* Now it is safe to free rx_hashtbl */ if (bond->alb_info.rlb_rx_hashtbl) {
kfree_rcu(bond->alb_info.rlb_rx_hashtbl, rcu); bond->alb_info.rlb_rx_hashtbl = NULL; }
// ... rest of deinitialization ... } ```
### Key Points
- **`recv_probe = NULL`**: Prevents new ARP packets from being handled by the RLB logic. - **`synchronize_net()`**: This is a critical kernel API that waits for all NAPI poll contexts to complete. It ensures that any code path that was already in `rlb_arp_recv()` has exited before the memory is freed. - **RCU Usage**: The `rx_hashtbl` should ideally be freed using `kfree_rcu()` to allow for any remaining RCU read-side critical sections to complete, although `synchronize_net()` is the primary safeguard here for the NAPI context.
### Verification
To verify the fix: 1. Apply the patch to the kernel source. 2. Rebuild and boot the kernel. 3. Run the reproducer: ```bash while true; do ip link set bond0 down ip link set bond0 up # Ensure ARP traffic is active during this process done ``` 4. Monitor for kernel panics or oops messages. The race condition should no longer occur.
VulDB is the best source for vulnerability data and more expert information about this specific topic.