From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jamie Iles <jamie@nuviainc.com>
Cc: netdev@vger.kernel.org, Qiushi Wu <wu000273@umn.edu>,
Jay Vosburgh <j.vosburgh@gmail.com>,
Veaceslav Falico <vfalico@gmail.com>,
Andy Gospodarek <andy@greyhouse.net>
Subject: Re: [PATCHv3] bonding: wait for sysfs kobject destruction before freeing struct slave
Date: Fri, 20 Nov 2020 16:39:51 +0100 [thread overview]
Message-ID: <X7fjR8ZB6BVwKS++@kroah.com> (raw)
In-Reply-To: <20201120142827.879226-1-jamie@nuviainc.com>
On Fri, Nov 20, 2020 at 02:28:27PM +0000, Jamie Iles wrote:
> syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, releasing a
> struct slave device could result in the following splat:
>
> kobject: 'bonding_slave' (00000000cecdd4fe): kobject_release, parent 0000000074ceb2b2 (delayed 1000)
> bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
> ------------[ cut here ]------------
> ODEBUG: free active (active state 0) object type: timer_list hint: workqueue_select_cpu_near kernel/workqueue.c:1549 [inline]
> ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 kernel/workqueue.c:1600
> WARNING: CPU: 1 PID: 842 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 lib/debugobjects.c:485
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 842 Comm: kworker/u4:4 Tainted: G S 5.9.0-rc8+ #96
> Hardware name: linux,dummy-virt (DT)
> Workqueue: netns cleanup_net
> Call trace:
> dump_backtrace+0x0/0x4d8 include/linux/bitmap.h:239
> show_stack+0x34/0x48 arch/arm64/kernel/traps.c:142
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x174/0x1f8 lib/dump_stack.c:118
> panic+0x360/0x7a0 kernel/panic.c:231
> __warn+0x244/0x2ec kernel/panic.c:600
> report_bug+0x240/0x398 lib/bug.c:198
> bug_handler+0x50/0xc0 arch/arm64/kernel/traps.c:974
> call_break_hook+0x160/0x1d8 arch/arm64/kernel/debug-monitors.c:322
> brk_handler+0x30/0xc0 arch/arm64/kernel/debug-monitors.c:329
> do_debug_exception+0x184/0x340 arch/arm64/mm/fault.c:864
> el1_dbg+0x48/0xb0 arch/arm64/kernel/entry-common.c:65
> el1_sync_handler+0x170/0x1c8 arch/arm64/kernel/entry-common.c:93
> el1_sync+0x80/0x100 arch/arm64/kernel/entry.S:594
> debug_print_object+0x180/0x240 lib/debugobjects.c:485
> __debug_check_no_obj_freed lib/debugobjects.c:967 [inline]
> debug_check_no_obj_freed+0x200/0x430 lib/debugobjects.c:998
> slab_free_hook mm/slub.c:1536 [inline]
> slab_free_freelist_hook+0x190/0x210 mm/slub.c:1577
> slab_free mm/slub.c:3138 [inline]
> kfree+0x13c/0x460 mm/slub.c:4119
> bond_free_slave+0x8c/0xf8 drivers/net/bonding/bond_main.c:1492
> __bond_release_one+0xe0c/0xec8 drivers/net/bonding/bond_main.c:2190
> bond_slave_netdev_event drivers/net/bonding/bond_main.c:3309 [inline]
> bond_netdev_event+0x8f0/0xa70 drivers/net/bonding/bond_main.c:3420
> notifier_call_chain+0xf0/0x200 kernel/notifier.c:83
> __raw_notifier_call_chain kernel/notifier.c:361 [inline]
> raw_notifier_call_chain+0x44/0x58 kernel/notifier.c:368
> call_netdevice_notifiers_info+0xbc/0x150 net/core/dev.c:2033
> call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
> call_netdevice_notifiers net/core/dev.c:2059 [inline]
> rollback_registered_many+0x6a4/0xec0 net/core/dev.c:9347
> unregister_netdevice_many.part.0+0x2c/0x1c0 net/core/dev.c:10509
> unregister_netdevice_many net/core/dev.c:10508 [inline]
> default_device_exit_batch+0x294/0x338 net/core/dev.c:10992
> ops_exit_list.isra.0+0xec/0x150 net/core/net_namespace.c:189
> cleanup_net+0x44c/0x888 net/core/net_namespace.c:603
> process_one_work+0x96c/0x18c0 kernel/workqueue.c:2269
> worker_thread+0x3f0/0xc30 kernel/workqueue.c:2415
> kthread+0x390/0x498 kernel/kthread.c:292
> ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:925
>
> This is a potential use-after-free if the sysfs nodes are being accessed
> whilst removing the struct slave, so wait for the object destruction to
> complete before freeing the struct slave itself.
>
> Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.")
> Fixes: a068aab42258 ("bonding: Fix reference count leak in bond_sysfs_slave_add.")
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Qiushi Wu <wu000273@umn.edu>
> Cc: Jay Vosburgh <j.vosburgh@gmail.com>
> Cc: Veaceslav Falico <vfalico@gmail.com>
> Cc: Andy Gospodarek <andy@greyhouse.net>
> Signed-off-by: Jamie Iles <jamie@nuviainc.com>
> ---
> v3:
> - have a single object lifecycle in the struct slave and remove the
> explicit deallocation and defer that to the kobject
Nice, it looks like it should have always been done this way!
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
next prev parent reply other threads:[~2020-11-20 15:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 8:41 [RESEND PATCH] bonding: wait for sysfs kobject destruction before freeing struct slave Jamie Iles
2020-11-05 12:49 ` Eric Dumazet
2020-11-05 18:11 ` Jamie Iles
2020-11-06 16:17 ` Eric Dumazet
2020-11-13 17:12 ` [PATCHv2] " Jamie Iles
2020-11-17 20:34 ` Jakub Kicinski
2020-11-18 7:58 ` Greg Kroah-Hartman
2020-11-20 14:28 ` [PATCHv3] " Jamie Iles
2020-11-20 15:39 ` Greg Kroah-Hartman [this message]
2020-11-21 21:09 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X7fjR8ZB6BVwKS++@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=andy@greyhouse.net \
--cc=j.vosburgh@gmail.com \
--cc=jamie@nuviainc.com \
--cc=netdev@vger.kernel.org \
--cc=vfalico@gmail.com \
--cc=wu000273@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.