From: Jay Vosburgh <jay.vosburgh@canonical.com>
To: Yevhen Orlov <yevhen.orlov@plvision.eu>
Cc: netdev@vger.kernel.org,
Volodymyr Mytnyk <volodymyr.mytnyk@plvision.eu>,
Taras Chornyi <taras.chornyi@plvision.eu>,
Mickey Rachamim <mickeyr@marvell.com>,
Serhiy Pshyk <serhiy.pshyk@plvision.eu>,
Maksym Glubokiy <maksym.glubokiy@plvision.eu>,
Veaceslav Falico <vfalico@gmail.com>,
Andy Gospodarek <andy@greyhouse.net>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] net: bonding: fix use-after-free after 802.3ad slave unbind
Date: Wed, 29 Jun 2022 11:58:52 -0700 [thread overview]
Message-ID: <30286.1656529132@famine> (raw)
In-Reply-To: <20220629012914.361-1-yevhen.orlov@plvision.eu>
Yevhen Orlov <yevhen.orlov@plvision.eu> wrote:
>commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"),
>resolve case, when there is several aggregation groups in the same bond.
>bond_3ad_unbind_slave will invalidate (clear) aggregator when
>__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
>num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
>previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
>will not update slave ports list, because lag_ports==NULL. So, here we
>got slave ports, pointing to freed aggregator memory.
>
>Fix with checking actual number of ports in group (as was before
>commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ),
>before ad_clear_agg().
To be clear, what it looks like is going on is that, after
0622cab0341c, we're getting to this point with an aggregator that
contains the port being removed and a non-zero number of inactive ports.
The extant logic is for the "old way" (no inactive ports in an agg), and
presumes that if __agg_active_ports() == 0 then the agg is empty, which
isn't a safe assumption in the current code.
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
-J
>The KASAN logs are as follows:
>
>[ 767.617392] ==================================================================
>[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
>[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
>[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15
>[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
>[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
>[ 767.666468] Call trace:
>[ 767.668930] dump_backtrace+0x0/0x2d0
>[ 767.672625] show_stack+0x24/0x30
>[ 767.675965] dump_stack_lvl+0x68/0x84
>[ 767.679659] print_address_description.constprop.0+0x74/0x2b8
>[ 767.685451] kasan_report+0x1f0/0x260
>[ 767.689148] __asan_load2+0x94/0xd0
>[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
>
>Fixes: 0622cab0341c ("bonding: fix 802.3ad aggregator reselection")
>Co-developed-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
>Signed-off-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
>Signed-off-by: Yevhen Orlov <yevhen.orlov@plvision.eu>
>---
> drivers/net/bonding/bond_3ad.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
>index a86b1f71762e..d7fb33c078e8 100644
>--- a/drivers/net/bonding/bond_3ad.c
>+++ b/drivers/net/bonding/bond_3ad.c
>@@ -2228,7 +2228,8 @@ void bond_3ad_unbind_slave(struct slave *slave)
> temp_aggregator->num_of_ports--;
> if (__agg_active_ports(temp_aggregator) == 0) {
> select_new_active_agg = temp_aggregator->is_active;
>- ad_clear_agg(temp_aggregator);
>+ if (temp_aggregator->num_of_ports == 0)
>+ ad_clear_agg(temp_aggregator);
> if (select_new_active_agg) {
> slave_info(bond->dev, slave->dev, "Removing an active aggregator\n");
> /* select new active aggregator */
>--
>2.17.1
>
next prev parent reply other threads:[~2022-06-29 18:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-29 1:29 [PATCH net] net: bonding: fix use-after-free after 802.3ad slave unbind Yevhen Orlov
2022-06-29 18:58 ` Jay Vosburgh [this message]
2022-06-30 4:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30286.1656529132@famine \
--to=jay.vosburgh@canonical.com \
--cc=andy@greyhouse.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maksym.glubokiy@plvision.eu \
--cc=mickeyr@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=serhiy.pshyk@plvision.eu \
--cc=taras.chornyi@plvision.eu \
--cc=vfalico@gmail.com \
--cc=volodymyr.mytnyk@plvision.eu \
--cc=yevhen.orlov@plvision.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.