In the Linux kernel, the following vulnerability has been resolved:
bonding: stop the device in bondsetupby_slave()
Commit 9eed321cde22 ("net: lapbether: only support ethernet devices") has been able to keep syzbot away from net/lapb, until today.
In the following splat [1], the issue is that a lapbether device has been created on a bonding device without members. Then adding a non ARPHRD_ETHER member forced the bonding master to change its type.
The fix is to make sure we call devclose() in bondsetupbyslave() so that the potential linked lapbether devices (or any other devices having assumptions on the physical device) are removed.
A similar bug has been addressed in commit 40baec225765 ("bonding: fix panic on non-ARPHRD_ETHER enslave failure")
[1] skbuff: skbunderpanic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0 kernel BUG at net/core/skbuff.c:192 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skbpanic net/core/skbuff.c:188 [inline] pc : skbunderpanic+0x13c/0x140 net/core/skbuff.c:202 lr : skbpanic net/core/skbuff.c:188 [inline] lr : skbunderpanic+0x13c/0x140 net/core/skbuff.c:202 sp : ffff800096a06aa0 x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000 x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140 x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100 x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001 x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00 x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086 Call trace: skbpanic net/core/skbuff.c:188 [inline] skbunderpanic+0x13c/0x140 net/core/skbuff.c:202 skbpush+0xf0/0x108 net/core/skbuff.c:2446 ip6greheader+0xbc/0x738 net/ipv6/ip6gre.c:1384 devhardheader include/linux/netdevice.h:3136 [inline] lapbethdatatransmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257 lapbdatatransmit+0x8c/0xb0 net/lapb/lapbiface.c:447 lapbtransmitbuffer+0x178/0x204 net/lapb/lapbout.c:149 lapbsendcontrol+0x220/0x320 net/lapb/lapbsubr.c:251 _lapbdisconnectrequest+0x9c/0x17c net/lapb/lapbiface.c:326 lapbdeviceevent+0x288/0x4e0 net/lapb/lapbiface.c:492 notifiercallchain+0x1a4/0x510 kernel/notifier.c:93 rawnotifiercallchain+0x3c/0x50 kernel/notifier.c:461 callnetdevicenotifiersinfo net/core/dev.c:1970 [inline] callnetdevicenotifiersextack net/core/dev.c:2008 [inline] callnetdevicenotifiers net/core/dev.c:2022 [inline] _devclosemany+0x1b8/0x3c4 net/core/dev.c:1508 devclosemany+0x1e0/0x470 net/core/dev.c:1559 devclose+0x174/0x250 net/core/dev.c:1585 lapbethdeviceevent+0x2e4/0x958 drivers/net/wan/lapbether.c:466 notifiercallchain+0x1a4/0x510 kernel/notifier.c:93 rawnotifiercallchain+0x3c/0x50 kernel/notifier.c:461 callnetdevicenotifiersinfo net/core/dev.c:1970 [inline] callnetdevicenotifiersextack net/core/dev.c:2008 [inline] callnetdevicenotifiers net/core/dev.c:2022 [inline] _devclosemany+0x1b8/0x3c4 net/core/dev.c:1508 devclosemany+0x1e0/0x470 net/core/dev.c:1559 devclose+0x174/0x250 net/core/dev.c:1585 bondenslave+0x2298/0x30cc drivers/net/bonding/bondmain.c:2332 bonddoioctl+0x268/0xc64 drivers/net/bonding/bondmain.c:4539 devifsioc+0x754/0x9ac devioctl+0x4d8/0xd34 net/core/devioctl.c:786 sockdoioctl+0x1d4/0x2d0 net/socket.c:1217 sockioctl+0x4e8/0x834 net/socket.c:1322 vfsioctl fs/ioctl.c:51 [inline] _do ---truncated---