From nobody Mon Jun  8 05:30:30 2026
Received: from mail-gw02.astralinux.ru (mail-gw02.astralinux.ru
 [93.188.205.243])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 187BC7260D;
	Fri,  5 Jun 2026 13:53:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=93.188.205.243
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780667592; cv=none;
 b=oWPk8HcDcPYtsIS1ECCnr6yawSxsufm14ywfSbL+LQxlTmAK9kimq3zxCRBzM1RD7npVwYg8wFTGIxWZ/jcB/tYybJiYE8z4TdXVTF2iwBR0LNbVP2ygZiwaRUqNQuuj4sc0ULqJbs7mS1kVaSUjFnFfz91G8bqVaNHsWCDtdUE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780667592; c=relaxed/simple;
	bh=MWyOzsRoF6IgihNP4ZmOHjOp/+rGMyYr1WD9i/KTVT0=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=qXrTxq9osZMvhtCTyYovks7hDWa1VPs+LoqhoSa+zLJeZUCBayEcg0uU6//fOxw0hgkzil4shWogz5RFZ/44MBwmATGNgOEAUSuyM6vs+pykcY5b0TyfKXkHmdcKTf2tUZP2VJ1rDSBEuI7UqX0hnKGYy7ZaFkImMmMkBnVNU5c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=astralinux.ru;
 spf=pass smtp.mailfrom=astralinux.ru;
 dkim=pass (2048-bit key) header.d=astralinux.ru header.i=@astralinux.ru
 header.b=c5hxqcEB; arc=none smtp.client-ip=93.188.205.243
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=astralinux.ru
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=astralinux.ru
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=astralinux.ru header.i=@astralinux.ru
 header.b="c5hxqcEB"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=astralinux.ru;
	s=mail; t=1780667235;
	bh=MWyOzsRoF6IgihNP4ZmOHjOp/+rGMyYr1WD9i/KTVT0=;
	h=From:To:Cc:Subject:Date:From;
	b=c5hxqcEBwILGnS+Nh4mScyuqJtSzXmmRFZhf11dCeFthZKNSleQS/RsY3QXc3V5ES
	 afTP2jl6tHP2hByqJ0HK18bOTiA3bZgNm2AJHXvyffnZY+xLtd6ubQg8K8yZaKE3UY
	 S1tLTcsvCGBWYjBd2d0uLzVSoBoubK0qXdH1tzJn4XpdkxTu7s+/Dpmcxhk5NkblFZ
	 Yi3sUVBiK7yQEo5rZb/B3BlCLK2FBkvjmdWps0rPkAAJt5YSo+y3QrevigDOg1t7pK
	 57g0zv7jK+fFxA3ZNddjeZoD+4X1YTxzimi/ia/9obw9Iyv14cxq21LP3r1IfDuS2J
	 WNK5rtbRoT55A==
Received: from gca-msk-a-srv-ksmg01.astralinux.ru (localhost [127.0.0.1])
	by mail-gw02.astralinux.ru (Postfix) with ESMTP id 486491F977;
	Fri,  5 Jun 2026 16:47:15 +0300 (MSK)
Received: from new-mail.astralinux.ru (unknown [10.205.207.8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail-gw02.astralinux.ru (Postfix) with ESMTPS;
	Fri,  5 Jun 2026 16:47:10 +0300 (MSK)
Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.198.16.171])
	by new-mail.astralinux.ru (Postfix) with ESMTPA id 4gX2mY5n74zZdFK;
	Fri, 05 Jun 2026 16:47:09 +0300 (MSK)
From: Alexey Panov <apanov@astralinux.ru>
To: stable@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexey Panov <apanov@astralinux.ru>,
	Jiri Pirko <jiri@resnulli.us>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	lvc-project@linuxtesting.org,
	syzbot+a2a3b519de727b0f7903@syzkaller.appspotmail.com,
	"Nikola Z . Ivanov" <zlatistiv@gmail.com>,
	Jiri Pirko <jiri@nvidia.com>
Subject: [PATCH 5.10] team: Move team device type change at the end of
 team_port_add
Date: Fri,  5 Jun 2026 16:47:00 +0300
Message-Id: <20260605134700.23565-1-apanov@astralinux.ru>
X-Mailer: git-send-email 2.30.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-KSMG-AntiPhishing: NotDetected, bases: 2026/06/05 13:22:00
X-KSMG-AntiSpam-Auth: dkim=none
X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru
X-KSMG-AntiSpam-Info: LuaCore: 107 0.3.107
 575e75fe8e3b9d45c142d144823c5de38605099e, {date_rfc_vio_soft_silent},
 {Tracking_uf_ne_domains}, {Tracking_internal2},
 {Tracking_from_domain_doesnt_match_to},
 new-mail.astralinux.ru:7.1.1;astralinux.ru:7.1.1;syzkaller.appspot.com:7.1.1,5.0.1;patch.msgid.link:7.1.1;127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1,
 FromAlignment: s
X-KSMG-AntiSpam-Interceptor-Info: scan successful
X-KSMG-AntiSpam-Lua-Profiles: 203688 [Jun 05 2026]
X-KSMG-AntiSpam-Method: none
X-KSMG-AntiSpam-Rate: 0
X-KSMG-AntiSpam-Status: not_detected
X-KSMG-AntiSpam-Version: 6.1.1.22
X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854,
 bases: 2026/06/05 12:57:00 #28217219
X-KSMG-AntiVirus-Status: NotDetected, skipped
X-KSMG-LinksScanning: NotDetected, bases: 2026/06/05 13:22:00
X-KSMG-Message-Action: skipped
X-KSMG-Rule-ID: 1
Content-Type: text/plain; charset="utf-8"

From: Nikola Z. Ivanov <zlatistiv@gmail.com>

commit 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef upstream.

Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.

In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.

Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.

Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1

Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.

Also make sure to preserve the origial mtu assignment:
  - If port_dev is not the same type as dev, dev takes mtu from port_dev
  - If port_dev is the same type as dev, port_dev takes mtu from dev

This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu =3D dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu =3D port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.

Testing:
  - team device driver in-tree selftests
  - Add/remove various devices as slaves of team device
  - syzbot

Reported-by: syzbot+a2a3b519de727b0f7903@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Da2a3b519de727b0f7903
Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20251122002027.695151-1-zlatistiv@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Alexey: backport to 5.10: adjust path from
drivers/net/team/team_core.c to drivers/net/team/team.c ]
Signed-off-by: Alexey Panov <apanov@astralinux.ru>
---
Backport fix for CVE-2025-68340
 drivers/net/team/team.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 03cc3da8c3c1..0b62e204c7bb 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1180,10 +1180,6 @@ static int team_port_add(struct team *team, struct n=
et_device *port_dev,
 		return -EPERM;
 	}
=20
-	err =3D team_dev_type_check_change(dev, port_dev);
-	if (err)
-		return err;
-
 	if (port_dev->flags & IFF_UP) {
 		NL_SET_ERR_MSG(extack, "Device is up. Set it down before adding it as a =
team port");
 		netdev_err(dev, "Device %s is up. Set it down before adding it as a team=
 port\n",
@@ -1201,10 +1197,16 @@ static int team_port_add(struct team *team, struct =
net_device *port_dev,
 	INIT_LIST_HEAD(&port->qom_list);
=20
 	port->orig.mtu =3D port_dev->mtu;
-	err =3D dev_set_mtu(port_dev, dev->mtu);
-	if (err) {
-		netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err);
-		goto err_set_mtu;
+	/*
+	 * MTU assignment will be handled in team_dev_type_check_change
+	 * if dev and port_dev are of different types
+	 */
+	if (dev->type =3D=3D port_dev->type) {
+		err =3D dev_set_mtu(port_dev, dev->mtu);
+		if (err) {
+			netdev_dbg(dev, "Error %d calling dev_set_mtu\n", err);
+			goto err_set_mtu;
+		}
 	}
=20
 	memcpy(port->orig.dev_addr, port_dev->dev_addr, port_dev->addr_len);
@@ -1279,6 +1281,10 @@ static int team_port_add(struct team *team, struct n=
et_device *port_dev,
 		}
 	}
=20
+	err =3D team_dev_type_check_change(dev, port_dev);
+	if (err)
+		goto err_set_dev_type;
+
 	if (dev->flags & IFF_UP) {
 		netif_addr_lock_bh(dev);
 		dev_uc_sync_multiple(port_dev, dev);
@@ -1297,6 +1303,7 @@ static int team_port_add(struct team *team, struct ne=
t_device *port_dev,
=20
 	return 0;
=20
+err_set_dev_type:
 err_set_slave_promisc:
 	__team_option_inst_del_port(team, port);
=20
--=20
2.47.3