CVE-2026-23310

In the Linux kernel, the following vulnerability has been resolved:

bpf/bonding: reject vlan+srcmac xmit hash policy change when XDP is loaded

bond option mode set() already rejects mode changes that would make a loaded XDP program incompatible via bond xdp check(). However, bond option xmit hash policy set() has no such guard.

For 802.3ad and balance-xor modes, bond xdp check() returns false when xmit hash policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This means a user can:

This leaves bond->xdp prog set but bond xdp check() now returning false for the same device. When the bond is later destroyed, dev xdp uninstall() calls bond xdp set(dev, NULL, NULL) to remove the program, which hits the bond xdp check() guard and returns -EOPNOTSUPP, triggering:

WARN ON(dev xdp install(dev, mode, bpf op, NULL, 0, NULL))

Fix this by rejecting xmit hash policy changes to vlan+srcmac when an XDP program is loaded on a bond in 802.3ad or balance-xor mode.

commit 39a0876d595b ("net, bonding: Disallow vlan+srcmac with XDP") introduced bond xdp check() which returns false for 802.3ad/balance-xor modes when xmit hash policy is vlan+srcmac. The check was wired into bond xdp set() to reject XDP attachment with an incompatible policy, but the symmetric path -- preventing xmit hash policy from being changed to an incompatible value after XDP is already loaded -- was left unguarded in bond option xmit hash policy set().

Note: commit 094ee6017ea0 ("bonding: check xdp prog when set bond mode") later added a similar guard to bond option mode set(), but bond option xmit hash policy set() remained unprotected.