From: Jay Vosburgh <jay.vosburgh@canonical.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: netdev@vger.kernel.org, Veaceslav Falico <vfalico@gmail.com>,
Andy Gospodarek <andy@greyhouse.net>,
Johannes Berg <johannes.berg@intel.com>,
syzbot+bfda097c12a00c8cae67@syzkaller.appspotmail.com
Subject: Re: [PATCH] bonding: init notify_work earlier to avoid uninitialized use
Date: Mon, 17 May 2021 08:39:59 -0700 [thread overview]
Message-ID: <29235.1621265999@famine> (raw)
In-Reply-To: <20210517161335.e40fea7f895a.I8b8487a9c0b8f54716cf44fdae02185381b1f64e@changeid>
Johannes Berg <johannes@sipsolutions.net> wrote:
>From: Johannes Berg <johannes.berg@intel.com>
>
>If bond_kobj_init() or later kzalloc() in bond_alloc_slave() fail,
>then we call kobject_put() on the slave->kobj. This in turn calls
>the release function slave_kobj_release() which will always try to
>cancel_delayed_work_sync(&slave->notify_work), which shouldn't be
>done on an uninitialized work struct.
>
>Always initialize the work struct earlier to avoid problems here.
>
>Syzbot bisected this down to a completely pointless commit, some
>fault injection may have been at work here that caused the alloc
>failure in the first place, which may interact badly with bisect.
>
>Reported-by: syzbot+bfda097c12a00c8cae67@syzkaller.appspotmail.com
>Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
>---
> drivers/net/bonding/bond_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
>index 20bbda1b36e1..c5a646d06102 100644
>--- a/drivers/net/bonding/bond_main.c
>+++ b/drivers/net/bonding/bond_main.c
>@@ -1526,6 +1526,7 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
>
> slave->bond = bond;
> slave->dev = slave_dev;
>+ INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
>
> if (bond_kobj_init(slave))
> return NULL;
>@@ -1538,7 +1539,6 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
> return NULL;
> }
> }
>- INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
>
> return slave;
> }
>--
>2.31.1
>
next prev parent reply other threads:[~2021-05-17 15:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 14:13 [PATCH] bonding: init notify_work earlier to avoid uninitialized use Johannes Berg
2021-05-17 15:39 ` Jay Vosburgh [this message]
2021-05-17 22:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29235.1621265999@famine \
--to=jay.vosburgh@canonical.com \
--cc=andy@greyhouse.net \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=netdev@vger.kernel.org \
--cc=syzbot+bfda097c12a00c8cae67@syzkaller.appspotmail.com \
--cc=vfalico@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.