| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAA3_GnqspgihczMgbSBXoXPwfo1=uwiK2ef-V83+FBbR1JEa2g@mail.gmail.com> Date: Thu, 5 Feb 2026 19:56:00 +0900 From: 戸田晃太 <kota.toda@...-cybersecurity.com> To: Eric Dumazet <edumazet@...gle.com> Cc: pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 小池悠生 <yuki.koike@...-cybersecurity.com>, 戸田晃太 <kota.toda@...-cybersecurity.com> Subject: [PATCH net 0/2] net: bonding: fix type-confusion in bonding header_ops In bond_setup_by_slave(), the slave’s header_ops are unconditionally copied into the bonding device. As a result, the bonding device may invoke the slave-specific header operations on itself, causing netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted as the slave's private-data type. This type-confusion bug can lead to out-of-bounds writes into the skb, resulting in memory corruption. Patch 1 stores the slave's header_ops in struct bonding and sets wrapper callbacks in bond_In bond_setup_by_slave(), the slave’s header_ops are unconditionally copied into the bonding device. As a result, the bonding device may invoke the slave-specific header operations on itself, causing netdev_priv(bond_dev) (a struct bonding) to be incorrectly interpreted as the slave's private-data type. This type-confusion bug can lead to out-of-bounds writes into the skb, resulting in memory corruption. Patch 1 stores the slave's header_ops in struct bonding and sets wrapper callbacks in bond_dev->header_ops. Patch 2 uses READ_ONCE when loading header_ops callbacks to avoid races with concurrent updates. Signed-off-by: Kota Toda <kota.toda@...-cybersecurity.com> Signed-off-by: Yuki Koike <yuki.koike@...-cybersecurity.com> Co-developed-by: Yuki Koike <yuki.koike@...-cybersecurity.com> Reviewed-by: Paolo Abeni <pabeni@...hat.com> Reported-by: Kota Toda <kota.toda@...-cybersecurity.com> -- Kota Toda (2): net: bonding: fix type-confusion in bonding header_ops net: add READ_ONCE for header_ops callbacks drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/linux/netdevice.h | 24 +++++++----- include/net/bonding.h | 5 +++ include/net/cfg802154.h | 2 +- net/core/neighbour.c | 6 +-- net/ipv4/arp.c | 2 +- net/ipv6/ndisc.c | 2 +- 7 files changed, 91 insertions(+), 16 deletions(-) -- 2.53.0 2026年2月3日(火) 2:11 Eric Dumazet <edumazet@...gle.com>: > > On Wed, Jan 28, 2026 at 11:46 AM 戸田晃太 <kota.toda@...-cybersecurity.com> wrote: > > > > Here is the patch with the barriers added, based on v6.12.67. > > > > However, as Yuki said, we are wondering if this would be considered an > > acceptable change > > from the perspective of the maintainers (or in terms of Linux kernel > > culture). This is because > > the patch adds `READ_ONCE` to several locations outside of bonding subsystem. > > Please let me know if you have any concerns regarding this point. > > > > > Also, please clarify what happens with stacks of two or more bonding devices ? > > > > To clarify, currently the `header_ops` of the bottom-most > > interface are used regardless of the number of bonding layers. > > This patch changes it so that `&bond->bond_header_ops` is used > > as the bond device's `header_ops`, regardless of the stack depth. > > Could you try to cook a patch series perhaps ? > > The READ_ONCE()/WRITE_ONCE() on dev->header_ops->cache could be done separately. > > Thanks.dev->header_ops. Patch 2 uses READ_ONCE when loading header_ops callbacks to avoid races with concurrent updates. Signed-off-by: Kota Toda <kota.toda@...-cybersecurity.com> Signed-off-by: Yuki Koike <yuki.koike@...-cybersecurity.com> Co-developed-by: Yuki Koike <yuki.koike@...-cybersecurity.com> Reviewed-by: Paolo Abeni <pabeni@...hat.com> Reported-by: Kota Toda <kota.toda@...-cybersecurity.com> -- Kota Toda (2): net: bonding: fix type-confusion in bonding header_ops net: add READ_ONCE for header_ops callbacks drivers/net/bonding/bond_main.c | 66 ++++++++++++++++++++++++++++++++- include/linux/netdevice.h | 24 +++++++----- include/net/bonding.h | 5 +++ include/net/cfg802154.h | 2 +- net/core/neighbour.c | 6 +-- net/ipv4/arp.c | 2 +- net/ipv6/ndisc.c | 2 +- 7 files changed, 91 insertions(+), 16 deletions(-) -- 2.53.0 2026年2月3日(火) 2:11 Eric Dumazet <edumazet@...gle.com>: > > On Wed, Jan 28, 2026 at 11:46 AM 戸田晃太 <kota.toda@...-cybersecurity.com> wrote: > > > > Here is the patch with the barriers added, based on v6.12.67. > > > > However, as Yuki said, we are wondering if this would be considered an > > acceptable change > > from the perspective of the maintainers (or in terms of Linux kernel > > culture). This is because > > the patch adds `READ_ONCE` to several locations outside of bonding subsystem. > > Please let me know if you have any concerns regarding this point. > > > > > Also, please clarify what happens with stacks of two or more bonding devices ? > > > > To clarify, currently the `header_ops` of the bottom-most > > interface are used regardless of the number of bonding layers. > > This patch changes it so that `&bond->bond_header_ops` is used > > as the bond device's `header_ops`, regardless of the stack depth. > > Could you try to cook a patch series perhaps ? > > The READ_ONCE()/WRITE_ONCE() on dev->header_ops->cache could be done separately. > > Thanks.
Powered by blists - more mailing lists