CVE-2026-23276

In the Linux kernel, the following vulnerability has been resolved:

net: add xmit recursion limit to tunnel xmit functions

Tunnel xmit functions (iptunnelxmit, ip6tunnelxmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bondxmitbroadcast() and iptunnelxmit()/ip6tnlxmit(), causing kernel stack overflow.

The existing XMITRECURSIONLIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IPTUNNELRECURSION_LIMIT) to prevent overflow.

Add recursion detection using devxmitrecursion helpers directly in iptunnelxmit() and ip6tunnelxmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).

Move devxmitrecursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code.

BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mldifcwork Call Trace: <TASK> __buildflowkey.constprop.0 (net/ipv4/route.c:515) iprtupdatepmtu (net/ipv4/route.c:1073) iptunnelxmit (net/ipv4/iptunnelcore.c:84) iptunnelxmit (net/ipv4/iptunnel.c:847) gretapxmit (net/ipv4/ipgre.c:779) devhardstartxmit (net/core/dev.c:3887) schdirectxmit (net/sched/schgeneric.c:347) __devqueuexmit (net/core/dev.c:4802) bonddevqueuexmit (drivers/net/bonding/bondmain.c:312) bondxmitbroadcast (drivers/net/bonding/bondmain.c:5279) bondstartxmit (drivers/net/bonding/bondmain.c:5530) devhardstart_xmit (net/core/dev.c:3887) __devqueuexmit (net/core/dev.c:4841) ipfinishoutput2 (net/ipv4/ipoutput.c:237) ipoutput (net/ipv4/ipoutput.c:438) iptunnelxmit (net/ipv4/iptunnelcore.c:86) gretapxmit (net/ipv4/ipgre.c:779) devhardstartxmit (net/core/dev.c:3887) schdirectxmit (net/sched/sch_generic.c:347) __devqueuexmit (net/core/dev.c:4802) bonddevqueuexmit (drivers/net/bonding/bondmain.c:312) bondxmitbroadcast (drivers/net/bonding/bondmain.c:5279) bondstartxmit (drivers/net/bonding/bondmain.c:5530) devhardstart_xmit (net/core/dev.c:3887) __devqueuexmit (net/core/dev.c:4841) ipfinishoutput2 (net/ipv4/ipoutput.c:237) ipoutput (net/ipv4/ipoutput.c:438) iptunnelxmit (net/ipv4/iptunnelcore.c:86) iptunnelxmit (net/ipv4/iptunnel.c:847) gretapxmit (net/ipv4/ipgre.c:779) devhardstartxmit (net/core/dev.c:3887) schdirectxmit (net/sched/schgeneric.c:347) __devqueuexmit (net/core/dev.c:4802) bond_devqueuexmit (drivers/net/bonding/bondmain.c:312) bondxmitbroadcast (drivers/net/bonding/bondmain.c:5279) bondstartxmit (drivers/net/bonding/bondmain.c:5530) devhardstartxmit (net/core/dev.c:3887) __devqueuexmit (net/core/dev.c:4841) mldsendpack mldifcwork processonework workerthread </TASK>