From nobody Fri Apr 10 01:05:53 2026 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 682632F12AE for ; Thu, 5 Mar 2026 09:27:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772702858; cv=none; b=jfgWmDJy0/TcXdIdS27afdKxac5EjuEsJY8fKrxCKCpPC7mybPzKZInRac+sTaki/Ub0G4+jY0bZcob+2wzpc3gxZa5XkwroHV/zj0U+E7tBShiP5RZlC7u9YfyJOzhRGMvaH7PChYvcsc3fmOjDoPGhYBiqZ2haXl0zN2lwwxE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772702858; c=relaxed/simple; bh=dCKksn63Iwao5/9PDtyfSecGgF0qBWe7qMdJfO7cg18=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gtXl2iwZbApmpp1kbZHJZu+YrIF7FfPQ2H47mxoaqdCmJPxQi1Kp2ax9rF6eg7inRvpwifDVs/2FYo3ws/S4GcM8phW21GAGXcCbfuiW4+ZaXRQ6VCDGNdRY/dpZe/BwwR4YGY5BKcZMUGVOFqM4jGlPO/mRIDj2qySUTIdbOCk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmo-cybersecurity.com; spf=pass smtp.mailfrom=gmo-cybersecurity.com; dkim=pass (2048-bit key) header.d=gmo-cybersecurity.com header.i=@gmo-cybersecurity.com header.b=apjlGpC1; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmo-cybersecurity.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmo-cybersecurity.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmo-cybersecurity.com header.i=@gmo-cybersecurity.com header.b="apjlGpC1" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-8272a56b91cso6586150b3a.1 for ; Thu, 05 Mar 2026 01:27:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmo-cybersecurity.com; s=google; t=1772702857; x=1773307657; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZlZr/f1YfH8ETuaOzpKLszu0Ah6qy/QnffRr2RQOGS8=; b=apjlGpC1DKHuqe/sczI7YkRV0po/S13RocNGah+AStAZNOCXrGSqHjvZ00tgjTxcYn fE4uou8TYqGAU3jtb1YUF57xYng1tv/+OyWVYO9jXAyQ7NfBkJhHIBq8Aj7nBx9Bbf1L S6RAemwfUM5ABtEkOamL8lCCUNFAv/EfvAPp472Oc8vj9DY2jAOVPgshsMWjthCt980l RdSBwBxYQSee2GQBpLfICXx3uFUGbqMrmi6NVH+Jlpin2rPEAskhu8MUdmiKfx5+fVyK 4ObbIA3BvxCaK2DWbdvtq3DC1mzU9oECU1Sjoox8I9dbldPGzVhjSwbeotB26IUMjL7D pQvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772702857; x=1773307657; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZlZr/f1YfH8ETuaOzpKLszu0Ah6qy/QnffRr2RQOGS8=; b=E2JOfgOCG85lOZ5Dgv/P83WdXYIL63J6/rw6bc/aRlQacfSbl3fg2xEtIdaBUzR6Ju Eu1Rvl7w7LzaH5SwcwVJIwexdDMK5Mk/xM8LJEulZPA/zDP/3Yxg6bL699mGGor9lteq MWLPAnfSS0Y+GQDqBjQcnZajulRu4nAsZceke992O3NI6Jb0yVUh3Oe2kHsy2ixO/wZG EBB75mEEGSK1WqD27J9halbaBIrbpMUll/+l5xG179jN3JZt9HLqWWs5d1GzjV+Jvb0A TUd09ozHgR5Ct9rY4tW51RaTCWlvQX79UzFzwIkxnct+Psz9jXP9211/+1EvTyZeMUYJ M72g== X-Gm-Message-State: AOJu0YxdzMD/E4vNIGA34YesTG4ZsggPyH9/+MbdOzDDAKnq9J8pW0c7 XlTZpOg2h815kvzwKLXPg1uKaeEa/cxcnMT7atghAKwxFq7NUq7684FhYX75WGXzGXQ= X-Gm-Gg: ATEYQzz94t/PA0bXkZaF8pgyQTr1/v0V9473oBXzNTV5eGIi5bUSzQl8Vvi9WFGmgqP 4/5Oo2XhZ7s5xrkYh2PrKUukntEUlqIZdTO0x/eQKD8CB2DsFEtbGWC5x7IMHpN1bTFGrgsFaPN Y926+7FsSUkzuQECw+NQHO/wz4pNdhy67BYatCqNkGjPfBJC0gT4NbOqMPPNCr6irYaamXbyec3 6J+/MmmCLI4hAn2fuZjPXyoIF1yQ7hZNAOrE0RjLC1F4ygW4bsB21BIV9g75nq9mV8vaaFeCX3i tLp6do1AEFBx9g0HXavu658lHPdUggFuOg7LR3elC4g000Z1ldvax856mpTE+Uo5z84LSf3e39g mD8QuOEQoyothds0bWGbfT++9EuakkI6XMolH3UHJ4GEqnbv2wH150kGDLpyHBTHdM4pWH8s8cB foNJAOa+CtU+8vtVuvzrHhj4Z8aIzgqIbZMKfGEOmmBjHyNSoB0tbTwQH9aEWaLHkRj0AzOjxT1 iuGqN7WEZYXwt+/SZhtLcg= X-Received: by 2002:a05:6a00:2303:b0:827:3d52:5d1a with SMTP id d2e1a72fcca58-829727299b5mr5320380b3a.0.1772702856651; Thu, 05 Mar 2026 01:27:36 -0800 (PST) Received: from cachyos.camel-monitor.ts.net (akacd-04p3-188.ppp11.odn.ad.jp. [210.237.248.188]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82974e75a4csm3606530b3a.30.2026.03.05.01.27.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 01:27:36 -0800 (PST) From: Kota Toda To: Kota Toda , Jay Vosburgh , Andy Gospodarek , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Yuki Koike Subject: [PATCH 1/2] net: bonding: fix type-confusion in bonding header_ops Date: Thu, 5 Mar 2026 18:27:03 +0900 Message-ID: <20260305092706.145085-2-kota.toda@gmo-cybersecurity.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305092706.145085-1-kota.toda@gmo-cybersecurity.com> References: <20260305092706.145085-1-kota.toda@gmo-cybersecurity.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add two members to struct bonding, bond_header_ops and header_slave_dev, to avoid type-confusion while keeping track of the slave's header_ops. Signed-off-by: Kota Toda Co-developed-by: Yuki Koike Signed-off-by: Yuki Koike --- drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/net/bonding.h | 5 +++ 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_mai= n.c index f17a170d1..2efad75ac 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -1616,14 +1616,70 @@ static void bond_compute_features(struct bonding *b= ond) netdev_change_features(bond_dev); } +static int bond_hard_header(struct sk_buff *skb, struct net_device *dev, + unsigned short type, const void *daddr, + const void *saddr, unsigned int len) +{ + struct bonding *bond =3D netdev_priv(dev); + struct net_device *slave_dev; + + slave_dev =3D bond->header_slave_dev; + + return dev_hard_header(skb, slave_dev, type, daddr, saddr, len); +} + +static void bond_header_cache_update(struct hh_cache *hh, const +struct net_device *dev, + const unsigned char *haddr) +{ + const struct bonding *bond =3D netdev_priv(dev); + void (*cache_update)(struct hh_cache *hh, + const struct net_device *dev, + const unsigned char *haddr); + struct net_device *slave_dev; + + slave_dev =3D bond->header_slave_dev; + cache_update =3D READ_ONCE(slave_dev->header_ops->cache_update); + if (!slave_dev->header_ops || !cache_update) + return; + + cache_update(hh, slave_dev, haddr); +} + static void bond_setup_by_slave(struct net_device *bond_dev, struct net_device *slave_dev) { + struct bonding *bond =3D netdev_priv(bond_dev); bool was_up =3D !!(bond_dev->flags & IFF_UP); dev_close(bond_dev); - bond_dev->header_ops =3D slave_dev->header_ops; + /* Some functions are given dev as an argument + * while others not. When dev is not given, we cannot + * find out what is the slave device through struct bonding + * (the private data of bond_dev). Therefore, we need a raw + * header_ops variable instead of its pointer to const header_ops + * and assign slave's functions directly. + * For the other case, we set the wrapper functions that pass + * slave_dev to the wrapped functions. + */ + bond->bond_header_ops.create =3D bond_hard_header; + bond->bond_header_ops.cache_update =3D bond_header_cache_update; + if (slave_dev->header_ops) { + WRITE_ONCE(bond->bond_header_ops.parse, slave_dev->header_ops->parse); + WRITE_ONCE(bond->bond_header_ops.cache, slave_dev->header_ops->cache); + WRITE_ONCE(bond->bond_header_ops.validate, slave_dev->header_ops->valida= te); + WRITE_ONCE(bond->bond_header_ops.parse_protocol, + slave_dev->header_ops->parse_protocol); + } else { + WRITE_ONCE(bond->bond_header_ops.parse, NULL); + WRITE_ONCE(bond->bond_header_ops.cache, NULL); + WRITE_ONCE(bond->bond_header_ops.validate, NULL); + WRITE_ONCE(bond->bond_header_ops.parse_protocol, NULL); + } + + WRITE_ONCE(bond_dev->header_ops, &bond->bond_header_ops); + bond->header_slave_dev =3D slave_dev; bond_dev->type =3D slave_dev->type; bond_dev->hard_header_len =3D slave_dev->hard_header_len; @@ -2682,6 +2738,14 @@ static int bond_release_and_destroy(struct net_devic= e *bond_dev, struct bonding *bond =3D netdev_priv(bond_dev); int ret; + /* If slave_dev is the earliest registered one, we must clear + * the variables related to header_ops to avoid dangling pointer. + */ + if (bond->header_slave_dev =3D=3D slave_dev) { + WRITE_ONCE(bond_dev->header_ops, NULL); + bond->header_slave_dev =3D NULL; + } + ret =3D __bond_release_one(bond_dev, slave_dev, false, true); if (ret =3D=3D 0 && !bond_has_slaves(bond) && bond_dev->reg_state !=3D NETREG_UNREGISTERING) { diff --git a/include/net/bonding.h b/include/net/bonding.h index 95f67b308..cf8206187 100644 --- a/include/net/bonding.h +++ b/include/net/bonding.h @@ -215,6 +215,11 @@ struct bond_ipsec { */ struct bonding { struct net_device *dev; /* first - useful for panic debug */ + struct net_device *header_slave_dev; /* slave net_device for header_op= s */ + /* maintained as a non-const variable + * because bond's header_ops should change depending on slaves. + */ + struct header_ops bond_header_ops; struct slave __rcu *curr_active_slave; struct slave __rcu *current_arp_slave; struct slave __rcu *primary_slave; -- 2.53.0