# CVE-2026-43456

## Summary

Linux kernel bonding can inherit header_ops from non‑Ethernet slaves (e.g., GRE), causing type confusion and kernel crashes when dev_hard_header() is invoked on the bond device.

## Description

## Summary
The Linux kernel bonding driver copies `header_ops` from a slave device to the bond device. If the slave is a non‑Ethernet device (e.g., GRE), the bond later calls `dev_hard_header()` with `header_ops` that expect the slave’s `netdev_priv()` layout, but receive the bond’s private data instead, leading to type confusion and kernel crashes.

## Affected Package
- **Package**: Linux kernel (bonding driver)
- **Ecosystem**: linux
- **Vulnerable versions**: Not specified in NVD; affected kernels prior to the listed fixes.

## Details
`bond_setup_by_slave()` assigns `bond_dev->header_ops = slave_dev->header_ops` without considering that many `header_ops` callbacks (e.g., `ipgre_header()` / `ip6gre_header()`) dereference `netdev_priv(dev)` and expect a device-specific private struct. When the bond device uses these callbacks, `netdev_priv()` returns `struct bonding` instead of the expected tunnel struct, causing type confusion and invalid memory access. The kernel can hit `BUG()` in `pskb_expand_head()` and crash (KASAN reports invalid opcode).

Fix: Introduce bonding-specific wrapper `bond_header_ops` that delegates to the active slave’s `header_ops` while using the slave device so `netdev_priv()` points to the correct private data. The fix is implemented in bonding driver commits listed below.

## Reproduction Steps
1. Build/run a kernel without the fix (bonding driver vulnerable).
2. Create a dummy and GRE device, then enslave GRE to a bond:
   ```bash
   ip link add dummy0 type dummy
   ip addr add 10.0.0.1/24 dev dummy0
   ip link set dummy0 up

   ip link add gre1 type gre local 10.0.0.1
   ip link add bond1 type bond mode active-backup
   ip link set gre1 master bond1
   ip link set gre1 up
   ip link set bond1 up

   ip addr add fe80::1/64 dev bond1
   ```
3. Trigger traffic that causes `dev_hard_header()` to be called on `bond1`.

## Expected vs Vulnerable Behavior
- **Expected**: Bond device should safely build L2 headers using the active slave’s `header_ops` and private data.
- **Vulnerable**: Type confusion in `header_ops` callbacks (e.g., `ipgre_header()`), leading to invalid memory access and kernel crash.

## Indicators of Success
- Kernel BUG/Oops similar to:
  - `kernel BUG at net/core/skbuff.c:2306` in `pskb_expand_head()`
  - Stack trace showing `ipgre_header()` / `dev_hard_header()`

## References
- https://nvd.nist.gov/vuln/detail/CVE-2026-43456
- https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956
- https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11
- https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba
- https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d

## Metadata

- Product: linux:linux kernel
- Severity: medium
- Status: open
