Re: [PATCH] net-sysfs: fix NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Qasim Ijaz <qasdev00@gmail.com>
To: Antoine Tenart <atenart@kernel.org>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org, jdamato@fastly.com,
	aleksander.lobakin@intel.com, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net-sysfs: fix NULL pointer dereference
Date: Sat, 8 Mar 2025 12:43:39 +0000	[thread overview]
Message-ID: <Z8w7ezFX3T01ptjH@qasdev.system> (raw)

On Thu, Mar 06, 2025 at 09:12:44AM +0100, Antoine Tenart wrote:
> Quoting Qasim Ijaz (2025-03-06 00:53:07)
> > Commit <79c61899b5ee> introduces a potential NULL pointer dereference 
> > in the sysfs_rtnl_lock() function when initialising kn:
> > 
> >         kn = sysfs_break_active_protection(kobj, attr);
> >         
> > The commit overlooks the fact that sysfs_break_active_protection can 
> > return NULL if kernfs_find_and_get() fails to find and get the kernfs_node 
> > with the given name. 
> 
> If it fails to get it, should we let sysfs_rtnl_lock continue is
> execution?

Hi Antoine, I think I may have misunderstood the code. Yes I do think it
would probably be better to end the function if
sysfs_break_active_protection fails. 

> 
> > Later on the code calls sysfs_unbreak_active_protection(kn) 
> > unconditionally, which could lead to a NULL pointer dereference.
> > 
> > Resolve this bug by introducing a NULL check before using kn
> > in the sysfs_unbreak_active_protection() call.
> 
> Did you see this in practice? Can you describe what led to this?

I have not seen this in practise but I think in terms of defensive
programming it could be a good addition to add a check to see if it
fails. If a function can return NULL then we should check for that, also
if we look at sysfs_break_active_protection being used throughout the
kernel there is multiple NULL checks so I think adding one here would be
handy. 

If you agree would you like me to send another patch where I check for
failure and end execution right away?

Thanks,
Qasim
> 
> Thanks!
> Antoine
> 
> > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> > Fixes: 79c61899b5ee ("net-sysfs: remove rtnl_trylock from device attributes")
> > ---
> >  net/core/net-sysfs.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> > index 8d9dc048a548..c5085588e536 100644
> > --- a/net/core/net-sysfs.c
> > +++ b/net/core/net-sysfs.c
> > @@ -117,7 +117,8 @@ static int sysfs_rtnl_lock(struct kobject *kobj, struct attribute *attr,
> >          * the rtnl lock.
> >          */
> >  unbreak:
> > -       sysfs_unbreak_active_protection(kn);
> > +       if (kn)
> > +               sysfs_unbreak_active_protection(kn);
> >         dev_put(ndev);
> >  
> >         return ret;
> > -- 
> > 2.39.5
> > 
> >
>

next             reply	other threads:[~2025-03-08 12:44 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-08 12:43 Qasim Ijaz [this message]
2025-03-10 16:29 ` [PATCH] net-sysfs: fix NULL pointer dereference Antoine Tenart
  -- strict thread matches above, loose matches on Subject: below --
2025-03-05 23:53 Qasim Ijaz
2025-03-06  8:12 ` Antoine Tenart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z8w7ezFX3T01ptjH@qasdev.system \
    --to=qasdev00@gmail.com \
    --cc=174124876418.4824.8589202932419197412@kwain \
    --cc=aleksander.lobakin@intel.com \
    --cc=atenart@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jdamato@fastly.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.