From nobody Mon Apr 6 09:08:52 2026 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 357CF35A3AA for ; Fri, 20 Mar 2026 07:22:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773991331; cv=none; b=AckUm11mwAOGZHvaY6jkEhgI4DrZVca/Jsd7SWE9C9jxlP4HZK+UEueFdVPOr9jGhSMy+zS0vdy5k2jGC53MxDtTNf4o6TzDgdVZQfx/b1Y2XG+/b0+naAQey/Z8OQG5cUdgjKzArl5EU1huhw6RNSKs1v2iR98KB+Qq44RFRG0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773991331; c=relaxed/simple; bh=op1U+8oaLZcGpqorYgyhLc3fDXMBFyQ1j0nGQcxTwRA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MAL1+qPpFiYRas3ZYsUxvbE9pMCuF96k9xfQ8numAumIVdDe7apQtufZljWX0RxH/Sdr1bki6jFQWBbpoMlY2ub1jYVkAh29lyf3mhZpyOJ9SuVJeD28ig6QzNujTW18qz4zuz3gh6gHNTE5y27XAMIyI93torJIqaWjXB0lhPA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=pJ4iL3Q3; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="pJ4iL3Q3" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1773991328; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=318XycAY/8MetVf9Vep0JgmwH0MnIW7tIrc2+DU+KN0=; b=pJ4iL3Q3TrWWn1nEPunvEiidJBZxCeCLm3M3rWIth6GNFpj6px6tEBwwotH1iZOKgx8SsZ Ve9kl+byjeopuqK3vs/JdVXkac9WTvllsifNOL9Uil0NE7h7Vmiozg7Lms6u8/EISRjY1k GpY3fQ+VRdp+LLa2Dhf5p5rGH7vgpow= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , syzbot+3d8bc31c45e11450f24c@syzkaller.appspotmail.com, Jiayuan Chen , Jiri Pirko , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Shuah Khan , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH net v3 1/2] team: fix header_ops type confusion with non-Ethernet ports Date: Fri, 20 Mar 2026 15:21:26 +0800 Message-ID: <20260320072139.134249-2-jiayuan.chen@linux.dev> In-Reply-To: <20260320072139.134249-1-jiayuan.chen@linux.dev> References: <20260320072139.134249-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Jiayuan Chen Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so netdev_priv(dev) is interpreted as the wrong private type and can crash. The syzbot report shows a crash in bond_header_create(), but the root cause is in team: the topology is gre -> bond -> team, and team calls the inherited header_ops with its own net_device instead of the lower device, so bond_header_create() receives a team device and interprets netdev_priv() as bonding private data, causing a type confusion crash. Fix this by introducing team header_ops wrappers for create/parse, selecting a team port under RCU, and calling the lower device callbacks with port->dev, so each callback always sees the correct net_device context. Also pass the selected lower device to the lower parse callback, so recursion is bounded in stacked non-Ethernet topologies and parse callbacks always run with the correct device context. Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") Reported-by: syzbot+3d8bc31c45e11450f24c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/69b46af7.050a0220.36eb34.000e.GAE@googl= e.com/T/ Cc: Jiayuan Chen Signed-off-by: Jiayuan Chen --- drivers/net/team/team_core.c | 65 +++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c index b7282f5c9632..120aeb539d9f 100644 --- a/drivers/net/team/team_core.c +++ b/drivers/net/team/team_core.c @@ -2058,6 +2058,68 @@ static const struct ethtool_ops team_ethtool_ops =3D= { * rt netlink interface ***********************/ =20 +/* For tx path we need a linkup && enabled port and for parse any port + * suffices. + */ +static struct team_port *team_header_port_get_rcu(struct team *team, + bool txable) +{ + struct team_port *port; + + list_for_each_entry_rcu(port, &team->port_list, list) { + if (!txable || team_port_txable(port)) + return port; + } + + return NULL; +} + +static int team_header_create(struct sk_buff *skb, struct net_device *team= _dev, + unsigned short type, const void *daddr, + const void *saddr, unsigned int len) +{ + struct team *team =3D netdev_priv(team_dev); + const struct header_ops *port_ops; + struct team_port *port; + int ret =3D 0; + + rcu_read_lock(); + port =3D team_header_port_get_rcu(team, true); + if (port) { + port_ops =3D READ_ONCE(port->dev->header_ops); + if (port_ops && port_ops->create) + ret =3D port_ops->create(skb, port->dev, + type, daddr, saddr, len); + } + rcu_read_unlock(); + return ret; +} + +static int team_header_parse(const struct sk_buff *skb, + const struct net_device *team_dev, + unsigned char *haddr) +{ + struct team *team =3D netdev_priv(team_dev); + const struct header_ops *port_ops; + struct team_port *port; + int ret =3D 0; + + rcu_read_lock(); + port =3D team_header_port_get_rcu(team, false); + if (port) { + port_ops =3D READ_ONCE(port->dev->header_ops); + if (port_ops && port_ops->parse) + ret =3D port_ops->parse(skb, port->dev, haddr); + } + rcu_read_unlock(); + return ret; +} + +static const struct header_ops team_header_ops =3D { + .create =3D team_header_create, + .parse =3D team_header_parse, +}; + static void team_setup_by_port(struct net_device *dev, struct net_device *port_dev) { @@ -2066,7 +2128,8 @@ static void team_setup_by_port(struct net_device *dev, if (port_dev->type =3D=3D ARPHRD_ETHER) dev->header_ops =3D team->header_ops_cache; else - dev->header_ops =3D port_dev->header_ops; + dev->header_ops =3D port_dev->header_ops ? + &team_header_ops : NULL; dev->type =3D port_dev->type; dev->hard_header_len =3D port_dev->hard_header_len; dev->needed_headroom =3D port_dev->needed_headroom; --=20 2.43.0 From nobody Mon Apr 6 09:08:52 2026 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12D8A35B63B for ; Fri, 20 Mar 2026 07:22:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773991338; cv=none; b=WuAKd30KxE/rO9f2AQbBz9VPMQTNX//x4pa90grYvj0hJynenTj7NkSBzTAMqscl1SWJOo6GqVoSVCbEpVNTHduQMZrYrwF5s190Ji5MiOV1ytG27l18UBIcENUkp48gBQM1FYSkMSWMcOIIJapoLfLlx+ymyWh0ves4tRi+WOc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773991338; c=relaxed/simple; bh=7e11Rzezl2KDjcTyl1P9NIZgWk2RomPzHy1FDC7uNv0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sNAjZy/wRaEBkvu0HE0EV7xux6STqdO9LIMGdIN2oH3b4mA5UeSDfBVLZJjFbPlTzSuKG6hu7uvPJ+FSRUUX66gDdYX02yvjpYhfTEgwj5/Nt+kKbcywp06aWjb66+l4YM4PpEJfyavVsIDpAzeIAiGp2oWx55JJ8zabuHA4qIc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=l6KY6N+1; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="l6KY6N+1" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1773991335; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YuM6ZDfBtwkarCW76CZ0oiAYb2DsFaCVZvlmDq14wkk=; b=l6KY6N+1HdNRwdQu6L3pDItnls13HfjoZtSImh1Mi+QbCijSQQPnOsmZEpxmGoiy4a6RbW Ak0znyySyP5mL9q35NAzSu1VKNf1t2VZgqPRwFRRvyXz41QVqFfQV3rwkxHbLGbq1xlApG MQSJbASqvkMdWyXwH1u9w7enV7zeCSU= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , Jiayuan Chen , Jiri Pirko , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Shuah Khan , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH net v3 2/2] selftests: team: add non-Ethernet header_ops reproducer Date: Fri, 20 Mar 2026 15:21:27 +0800 Message-ID: <20260320072139.134249-3-jiayuan.chen@linux.dev> In-Reply-To: <20260320072139.134249-1-jiayuan.chen@linux.dev> References: <20260320072139.134249-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Jiayuan Chen Add a team selftest that sets up: g0 (gre) -> b0 (bond) -> t0 (team) and triggers IPv6 traffic on t0. This reproduces the non-Ethernet header_ops confusion scenario and protects against regressions in stacked team/bond/gre configurations. Using this script, the panic reported by syzkaller can be reproduced [1]. After the fix: # ./non_ether_header_ops.sh PASS: non-Ethernet header_ops stacking did not crash [1] https://syzkaller.appspot.com/bug?extid=3D3d8bc31c45e11450f24c Cc: Jiayuan Chen Signed-off-by: Jiayuan Chen --- .../selftests/drivers/net/team/Makefile | 1 + .../testing/selftests/drivers/net/team/config | 2 + .../drivers/net/team/non_ether_header_ops.sh | 41 +++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100755 tools/testing/selftests/drivers/net/team/non_ether_head= er_ops.sh diff --git a/tools/testing/selftests/drivers/net/team/Makefile b/tools/test= ing/selftests/drivers/net/team/Makefile index 45a3e7ad3dcb..02d6f51d5a06 100644 --- a/tools/testing/selftests/drivers/net/team/Makefile +++ b/tools/testing/selftests/drivers/net/team/Makefile @@ -3,6 +3,7 @@ =20 TEST_PROGS :=3D \ dev_addr_lists.sh \ + non_ether_header_ops.sh \ options.sh \ propagation.sh \ refleak.sh \ diff --git a/tools/testing/selftests/drivers/net/team/config b/tools/testin= g/selftests/drivers/net/team/config index 558e1d0cf565..5d36a22ef080 100644 --- a/tools/testing/selftests/drivers/net/team/config +++ b/tools/testing/selftests/drivers/net/team/config @@ -1,7 +1,9 @@ +CONFIG_BONDING=3Dy CONFIG_DUMMY=3Dy CONFIG_IPV6=3Dy CONFIG_MACVLAN=3Dy CONFIG_NETDEVSIM=3Dm +CONFIG_NET_IPGRE=3Dy CONFIG_NET_TEAM=3Dy CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=3Dy CONFIG_NET_TEAM_MODE_LOADBALANCE=3Dy diff --git a/tools/testing/selftests/drivers/net/team/non_ether_header_ops.= sh b/tools/testing/selftests/drivers/net/team/non_ether_header_ops.sh new file mode 100755 index 000000000000..948a43576bdc --- /dev/null +++ b/tools/testing/selftests/drivers/net/team/non_ether_header_ops.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# shellcheck disable=3DSC2154 +# +# Reproduce the non-Ethernet header_ops confusion scenario with: +# g0 (gre) -> b0 (bond) -> t0 (team) +# +# Before the fix, direct header_ops inheritance in this stack could call +# callbacks with the wrong net_device context and crash. + +lib_dir=3D$(dirname "$0") +source "$lib_dir"/../../../net/lib.sh + +trap cleanup_all_ns EXIT + +setup_ns ns1 + +ip -n "$ns1" link add d0 type dummy +ip -n "$ns1" addr add 10.10.10.1/24 dev d0 +ip -n "$ns1" link set d0 up + +ip -n "$ns1" link add g0 type gre local 10.10.10.1 +ip -n "$ns1" link add b0 type bond mode active-backup +ip -n "$ns1" link add t0 type team + +ip -n "$ns1" link set g0 master b0 +ip -n "$ns1" link set b0 master t0 + +ip -n "$ns1" link set g0 up +ip -n "$ns1" link set b0 up +ip -n "$ns1" link set t0 up + +# IPv6 address assignment triggers MLD join reports that call +# dev_hard_header() on t0, exercising the inherited header_ops path. +ip -n "$ns1" -6 addr add 2001:db8:1::1/64 dev t0 nodad +for i in $(seq 1 20); do + ip netns exec "$ns1" ping -6 -I t0 ff02::1 -c1 -W1 &>/dev/null || true +done + +echo "PASS: non-Ethernet header_ops stacking did not crash" +exit "$EXIT_STATUS" --=20 2.43.0