From nobody Thu Apr  2 00:07:21 2026
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com
 [209.85.215.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D18EF3822BC
	for <linux-kernel@vger.kernel.org>; Thu,  5 Mar 2026 11:10:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772709014; cv=none;
 b=nQYEVjqs8Q2W08B8fJ53tCvYfdx4e5gaIZdvexmWHg8pMQr8nPPQEO+vgWRUJnt/qxJS+9n5D44OQfsBpL4lo7F3bqMLue/t0/xtjTmRZlzLrnE59EEY4RS4brjEhebujgabng905kGwsauGhgF1Sg5FBXCqAwYY9JKNtj7WxRo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772709014; c=relaxed/simple;
	bh=x0d+Wu02y+l5RGSc94GT+Dvd2idg4Yr3hzETsqoCJJ8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=Io+NyDuQKfGkAUvVjmGRysdPESkP80vlLwdFS7p2tRj8zYTmqGVgIwdxfk9DmQMsFFIFhY0vLRz5D9oRKvzSm4FNmmrgsDZ+lHpBlBskAPiSqDYWxJkFzogZmz7cyM2x5nZjHG0Rt7nnTG4TRFvGrV+O6gveg3RP5kv/9A39VCU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=gmo-cybersecurity.com;
 spf=pass smtp.mailfrom=gmo-cybersecurity.com;
 dkim=pass (2048-bit key) header.d=gmo-cybersecurity.com
 header.i=@gmo-cybersecurity.com header.b=erX9PcWp;
 arc=none smtp.client-ip=209.85.215.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=gmo-cybersecurity.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmo-cybersecurity.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmo-cybersecurity.com
 header.i=@gmo-cybersecurity.com header.b="erX9PcWp"
Received: by mail-pg1-f181.google.com with SMTP id
 41be03b00d2f7-bde0f62464cso2804297a12.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Mar 2026 03:10:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmo-cybersecurity.com; s=google; t=1772709012; x=1773313812;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=eQZNtnLYKtNFjePC1tTguFNpzwwlyU97MLzkI1UYxwc=;
        b=erX9PcWpi9kIRflxQSZzZr+oNnVgLBfq9tOHLT1QFAF4JG3N1FKbwwpIjx1BqcFffK
         XAK1Ez+vSamqo9JowGS0GGmke/Jbe3BQWNmT334A2EMnLAEitNJt6drluWMCPAp6CDLo
         NdRZbkU87zoqmE7ApQ3IxDlsSLPDL107iQMIwyCMgKSvAkad9VHZ1eNjFbix+EZG7RWS
         vgo6FpcmkH4/JmdzjDGiR7lnfK6wdb2PJ0KPAUrVuDUZbKsbeoTl0VobwrLpmesGbEO8
         GgS3uiDgDm3IR0HEnBPlsfFx+fjNc4/FFxwNsp7IK3i8h5DS7QFbxgZFqPYs+u2iOtNV
         fEAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772709012; x=1773313812;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=eQZNtnLYKtNFjePC1tTguFNpzwwlyU97MLzkI1UYxwc=;
        b=FXmWGsUaj7G5Ky8P1UTk8ZchtbgVpjrY8hDtJB/bmj2dS1ZMoFGpDPK53TSSDBx8FR
         +IfVuq/8z0Yo7AyyYf4myCo0TmUqUOmJYAUCJwptNikGIqqm88sW5bXdfC6Y2M4T4CRx
         AM5VIK+0MnsJ7FlwmQSqr+qBRzznT/9zolVMmhS6ezzH8g5lPPRbRFtL4Maevckvb1bC
         bOz/+ATXGUFzQl0erCbbHk1eKr7+QIK0lKTZvLpCcduf259S/QCkCqxvmzk5nOSKcd9r
         CXKAT65PVXZEz5EcBrEOBF4C0HFU/A/CyEFRLfIbYrgLu9Rv2Y7bP9iZwaqdpJqq64hx
         auHA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVvMUSL6a9+mT/Cd66fJYQGMS4LkCarffZxVoEQ6046NE6FUKpREcw9iDzt4AgpU5X+PDAUdvyGVsDe5c4=@vger.kernel.org
X-Gm-Message-State: AOJu0YwIUJxOZFJN+ReHlh+CqWFzwSGNwAvpHFhnjdM4bFLqI8GBe6Kl
	8NEMohsOwnrA5/IV8Gurx2Kx3Ex+3XeJ6DIVJZpbNkGHhVL00BoksKoRObohymJBe7s=
X-Gm-Gg: ATEYQzy9ASjVXKihOX4eQpxrHR3RTcEHFcPVk9v1QSUa4Z8nG9EJwpHdW7ltHw4kauk
	2HQiAudOwf38ZBOWZuJrddbtoL7K6zVYLP322g3qaTu68+javiFrpglmNUytf68l7ucTaqQuclX
	64iouKpAYVc0YiPu4N3xbQzj52ADq8gABc5z0orB3V63VJ+jYGr2ji/rvqTU8ryu0RJEwXWvKET
	fmGaUUvrRJxQfnGPavrXUeewiMno1gB5U9+rBbdjTELtFeHjbm9Q0hB5a0QLdDbIa9ut1kSrHrC
	sAP3S7l046Re39CC4RJJF9X+3yYirT0Xsd9mbLB0UA3M+lNjivDq4MVuhVl4WZcVoWwzmP0GpDY
	AF18LfjLPwz0bybisrrDDB+qZJrqkuSLxPPozzyrT8t9BgFEiMziFSVE4rB5cyD2tFwy6wkytwN
	M8k6ZKZZv/mutbrl+yOP+P63enoTP8MLqD8dkJJeyoQb7oSW2ZudLMytaF9oVliT7MPxD1MgYfj
	ZhdumYrYtnPMdNWvrQenuE=
X-Received: by 2002:a17:902:db09:b0:2ae:3cf0:3aa1 with SMTP id
 d9443c01a7336-2ae6aaa73c6mr56519505ad.37.1772709012059;
        Thu, 05 Mar 2026 03:10:12 -0800 (PST)
Received: from cachyos.camel-monitor.ts.net (akacd-04p3-188.ppp11.odn.ad.jp.
 [210.237.248.188])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2ae3e4e34fesm153501155ad.28.2026.03.05.03.10.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Mar 2026 03:10:11 -0800 (PST)
From: Kota Toda <kota.toda@gmo-cybersecurity.com>
To: Jeff Garzik <jeff@garzik.org>,
	Jay Vosburgh <fubar@us.ibm.com>,
	Jay Vosburgh <jv@jvosburgh.net>,
	Andy Gospodarek <andy@greyhouse.net>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>
Cc: Kota Toda <kota.toda@gmo-cybersecurity.com>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yuki Koike <yuki.koike@gmo-cybersecurity.com>
Subject: [PATCH v4 1/2] net: bonding: fix type-confusion in bonding header_ops
Date: Thu,  5 Mar 2026 20:07:48 +0900
Message-ID: <20260305110751.167489-2-kota.toda@gmo-cybersecurity.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260305110751.167489-1-kota.toda@gmo-cybersecurity.com>
References: <20260305110751.167489-1-kota.toda@gmo-cybersecurity.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

In bond_setup_by_slave(), the slave=E2=80=99s header_ops are unconditionally
copied into the bonding device. As a result, the bonding device may invoke
the slave-specific header operations on itself, causing
netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted
as the slave's private-data type.

This type-confusion bug can lead to out-of-bounds writes into the skb,
resulting in memory corruption.

This patch stores the slave's header_ops in struct bonding and sets
wrapper callbacks in bond_In bond_setup_by_slave(), the slave=E2=80=99s
header_ops are unconditionally
copied into the bonding device. As a result, the bonding device may invoke
the slave-specific header operations on itself, causing
netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted
as the slave's private-data type.

Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support")
Signed-off-by: Kota Toda <kota.toda@gmo-cybersecurity.com>
Co-developed-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com>
Signed-off-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com>
---
 drivers/net/bonding/bond_main.c | 67 ++++++++++++++++++++++++++++++++-
 include/net/bonding.h           |  5 +++
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_mai=
n.c
index f17a170d1..14d3e5298 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1616,14 +1616,71 @@ static void bond_compute_features(struct bonding *b=
ond)
 	netdev_change_features(bond_dev);
 }
=20
+static int bond_hard_header(struct sk_buff *skb, struct net_device *dev,
+			    unsigned short type, const void *daddr,
+			    const void *saddr, unsigned int len)
+{
+	struct bonding *bond =3D netdev_priv(dev);
+	struct net_device *slave_dev;
+
+	slave_dev =3D bond->header_slave_dev;
+
+	return dev_hard_header(skb, slave_dev, type, daddr, saddr, len);
+}
+
+static void bond_header_cache_update(struct hh_cache *hh, const
+struct net_device *dev,
+	const unsigned char *haddr)
+{
+	const struct bonding *bond =3D netdev_priv(dev);
+	void (*cache_update)(struct hh_cache *hh,
+			     const struct net_device *dev,
+			     const unsigned char *haddr);
+	struct net_device *slave_dev;
+
+	slave_dev =3D bond->header_slave_dev;
+	if (!slave_dev->header_ops)
+		return;
+	cache_update =3D READ_ONCE(slave_dev->header_ops->cache_update);
+	if (!cache_update)
+		return;
+	cache_update(hh, slave_dev, haddr);
+}
+
 static void bond_setup_by_slave(struct net_device *bond_dev,
 				struct net_device *slave_dev)
 {
+	struct bonding *bond =3D netdev_priv(bond_dev);
 	bool was_up =3D !!(bond_dev->flags & IFF_UP);
=20
 	dev_close(bond_dev);
=20
-	bond_dev->header_ops	    =3D slave_dev->header_ops;
+	/* Some functions are given dev as an argument
+	 * while others not. When dev is not given, we cannot
+	 * find out what is the slave device through struct bonding
+	 * (the private data of bond_dev). Therefore, we need a raw
+	 * header_ops variable instead of its pointer to const header_ops
+	 * and assign slave's functions directly.
+	 * For the other case, we set the wrapper functions that pass
+	 * slave_dev to the wrapped functions.
+	 */
+	bond->bond_header_ops.create =3D bond_hard_header;
+	bond->bond_header_ops.cache_update =3D bond_header_cache_update;
+	if (slave_dev->header_ops) {
+		WRITE_ONCE(bond->bond_header_ops.parse, slave_dev->header_ops->parse);
+		WRITE_ONCE(bond->bond_header_ops.cache, slave_dev->header_ops->cache);
+		WRITE_ONCE(bond->bond_header_ops.validate, slave_dev->header_ops->valida=
te);
+		WRITE_ONCE(bond->bond_header_ops.parse_protocol,
+			   slave_dev->header_ops->parse_protocol);
+	} else {
+		WRITE_ONCE(bond->bond_header_ops.parse, NULL);
+		WRITE_ONCE(bond->bond_header_ops.cache, NULL);
+		WRITE_ONCE(bond->bond_header_ops.validate, NULL);
+		WRITE_ONCE(bond->bond_header_ops.parse_protocol, NULL);
+	}
+
+	WRITE_ONCE(bond_dev->header_ops, &bond->bond_header_ops);
+	bond->header_slave_dev      =3D slave_dev;
=20
 	bond_dev->type		    =3D slave_dev->type;
 	bond_dev->hard_header_len   =3D slave_dev->hard_header_len;
@@ -2682,6 +2739,14 @@ static int bond_release_and_destroy(struct net_devic=
e *bond_dev,
 	struct bonding *bond =3D netdev_priv(bond_dev);
 	int ret;
=20
+	/* If slave_dev is the earliest registered one, we must clear
+	 * the variables related to header_ops to avoid dangling pointer.
+	 */
+	if (bond->header_slave_dev =3D=3D slave_dev) {
+		WRITE_ONCE(bond_dev->header_ops, NULL);
+		bond->header_slave_dev =3D NULL;
+	}
+
 	ret =3D __bond_release_one(bond_dev, slave_dev, false, true);
 	if (ret =3D=3D 0 && !bond_has_slaves(bond) &&
 	    bond_dev->reg_state !=3D NETREG_UNREGISTERING) {
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 95f67b308..cf8206187 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -215,6 +215,11 @@ struct bond_ipsec {
  */
 struct bonding {
 	struct   net_device *dev; /* first - useful for panic debug */
+	struct   net_device *header_slave_dev;  /* slave net_device for header_op=
s */
+	/* maintained as a non-const variable
+	 * because bond's header_ops should change depending on slaves.
+	 */
+	struct   header_ops bond_header_ops;
 	struct   slave __rcu *curr_active_slave;
 	struct   slave __rcu *current_arp_slave;
 	struct   slave __rcu *primary_slave;
--=20
2.53.0