drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/linux/netdevice.h | 24 +++++++----- include/net/bonding.h | 5 +++ include/net/cfg802154.h | 2 +- net/core/neighbour.c | 6 +-- net/ipv4/arp.c | 2 +- net/ipv6/ndisc.c | 2 +- 7 files changed, 91 insertions(+), 16 deletions(-)
In bond_setup_by_slave(), the slave’s header_ops are unconditionally copied into the bonding device. As a result, the bonding device may invoke the slave-specific header operations on itself, causing netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted as the slave's private-data type. This type-confusion bug can lead to out-of-bounds writes into the skb, resulting in memory corruption. Patch 1 stores the slave's header_ops in struct bonding and sets wrapper callbacks in bond_In bond_setup_by_slave(), the slave’s header_ops are unconditionally copied into the bonding device. As a result, the bonding device may invoke the slave-specific header operations on itself, causing netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted as the slave's private-data type. This type-confusion bug can lead to out-of-bounds writes into the skb, resulting in memory corruption. Patch 1 stores the slave's header_ops in struct bonding and sets wrapper callbacks in bond_dev->header_ops. Patch 2 uses READ_ONCE when loading header_ops callbacks to avoid races with concurrent updates. Signed-off-by: Kota Toda <kota.toda@gmo-cybersecurity.com> Signed-off-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com> Co-developed-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Reported-by: Kota Toda <kota.toda@gmo-cybersecurity.com> -- Kota Toda (2): net: bonding: fix type-confusion in bonding header_ops net: add READ_ONCE for header_ops callbacks drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/linux/netdevice.h | 24 +++++++----- include/net/bonding.h | 5 +++ include/net/cfg802154.h | 2 +- net/core/neighbour.c | 6 +-- net/ipv4/arp.c | 2 +- net/ipv6/ndisc.c | 2 +- 7 files changed, 91 insertions(+), 16 deletions(-) -- 2.53.0 2026年2月3日(火) 2:11 Eric Dumazet <edumazet@google.com>: > > On Wed, Jan 28, 2026 at 11:46 AM 戸田晃太 <kota.toda@gmo-cybersecurity.com> wrote: > > > > Here is the patch with the barriers added, based on v6.12.67. > > > > However, as Yuki said, we are wondering if this would be considered an > > acceptable change > > from the perspective of the maintainers (or in terms of Linux kernel > > culture). This is because > > the patch adds `READ_ONCE` to several locations outside of bonding subsystem. > > Please let me know if you have any concerns regarding this point. > > > > > Also, please clarify what happens with stacks of two or more bonding devices ? > > > > To clarify, currently the `header_ops` of the bottom-most > > interface are used regardless of the number of bonding layers. > > This patch changes it so that `&bond->bond_header_ops` is used > > as the bond device's `header_ops`, regardless of the stack depth. > > Could you try to cook a patch series perhaps ? > > The READ_ONCE()/WRITE_ONCE() on dev->header_ops->cache could be done separately. > > Thanks.dev->header_ops. Patch 2 uses READ_ONCE when loading header_ops callbacks to avoid races with concurrent updates. Signed-off-by: Kota Toda <kota.toda@gmo-cybersecurity.com> Signed-off-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com> Co-developed-by: Yuki Koike <yuki.koike@gmo-cybersecurity.com> Reviewed-by: Paolo Abeni <pabeni@redhat.com> Reported-by: Kota Toda <kota.toda@gmo-cybersecurity.com> -- Kota Toda (2): net: bonding: fix type-confusion in bonding header_ops net: add READ_ONCE for header_ops callbacks drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/linux/netdevice.h | 24 +++++++----- include/net/bonding.h | 5 +++ include/net/cfg802154.h | 2 +- net/core/neighbour.c | 6 +-- net/ipv4/arp.c | 2 +- net/ipv6/ndisc.c | 2 +- 7 files changed, 91 insertions(+), 16 deletions(-) -- 2.53.0 2026年2月3日(火) 2:11 Eric Dumazet <edumazet@google.com>: > > On Wed, Jan 28, 2026 at 11:46 AM 戸田晃太 <kota.toda@gmo-cybersecurity.com> wrote: > > > > Here is the patch with the barriers added, based on v6.12.67. > > > > However, as Yuki said, we are wondering if this would be considered an > > acceptable change > > from the perspective of the maintainers (or in terms of Linux kernel > > culture). This is because > > the patch adds `READ_ONCE` to several locations outside of bonding subsystem. > > Please let me know if you have any concerns regarding this point. > > > > > Also, please clarify what happens with stacks of two or more bonding devices ? > > > > To clarify, currently the `header_ops` of the bottom-most > > interface are used regardless of the number of bonding layers. > > This patch changes it so that `&bond->bond_header_ops` is used > > as the bond device's `header_ops`, regardless of the stack depth. > > Could you try to cook a patch series perhaps ? > > The READ_ONCE()/WRITE_ONCE() on dev->header_ops->cache could be done separately. > > Thanks.
© 2016 - 2026 Red Hat, Inc.