From: Julian Wiedmann <jwi@linux.ibm.com>
To: huangguobin <huangguobin4@huawei.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH -next] bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
Date: Tue, 2 Nov 2021 08:59:39 +0100 [thread overview]
Message-ID: <d3454aa3-a502-d02d-be4e-e6393eed026b@linux.ibm.com> (raw)
In-Reply-To: <5c02fbac130941a1a8578965975116b5@huawei.com>
On 02.11.21 03:55, huangguobin wrote:
> I think bond_sysfs_slave_del should not be used in the error handling process, because bond_sysfs_slave_del will traverse all slave_attrs and release them. When sysfs_create_file fails, only some attributes may be created successfully.
[please don't top-post]
The suggestion was to use sysfs_create_files(), which would handle such rollback
internally. There was no mention of using bond_sysfs_slave_del().
ie. something like the following (untested):
diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
index fd07561da034..a1fd4bc0b0d2 100644
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -108,15 +108,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
}
static SLAVE_ATTR_RO(ad_partner_oper_port_state);
-static const struct slave_attribute *slave_attrs[] = {
- &slave_attr_state,
- &slave_attr_mii_status,
- &slave_attr_link_failure_count,
- &slave_attr_perm_hwaddr,
- &slave_attr_queue_id,
- &slave_attr_ad_aggregator_id,
- &slave_attr_ad_actor_oper_port_state,
- &slave_attr_ad_partner_oper_port_state,
+static const struct attribute *slave_attrs[] = {
+ &slave_attr_state.attr,
+ &slave_attr_mii_status.attr,
+ &slave_attr_link_failure_count.attr,
+ &slave_attr_perm_hwaddr.attr,
+ &slave_attr_queue_id.attr,
+ &slave_attr_ad_aggregator_id.attr,
+ &slave_attr_ad_actor_oper_port_state.attr,
+ &slave_attr_ad_partner_oper_port_state.attr,
NULL
};
@@ -137,24 +137,16 @@ const struct sysfs_ops slave_sysfs_ops = {
int bond_sysfs_slave_add(struct slave *slave)
{
- const struct slave_attribute **a;
int err;
- for (a = slave_attrs; *a; ++a) {
- err = sysfs_create_file(&slave->kobj, &((*a)->attr));
- if (err) {
- kobject_put(&slave->kobj);
- return err;
- }
- }
+ err = sysfs_create_files(&slave->kobj, slave_attrs);
+ if (err)
+ kobject_put(&slave->kobj);
- return 0;
+ return err;
}
void bond_sysfs_slave_del(struct slave *slave)
{
- const struct slave_attribute **a;
-
- for (a = slave_attrs; *a; ++a)
- sysfs_remove_file(&slave->kobj, &((*a)->attr));
+ sysfs_remove_files(&slave->kobj, slave_attrs);
}
> -----Original Message-----
> From: Julian Wiedmann [mailto:jwi@linux.ibm.com]
> Sent: Tuesday, November 2, 2021 3:31 AM
> To: huangguobin <huangguobin4@huawei.com>; j.vosburgh@gmail.com; vfalico@gmail.com; andy@greyhouse.net; davem@davemloft.net; kuba@kernel.org
> Cc: netdev@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH -next] bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
>
> On 01.11.21 15:34, Huang Guobin wrote:
>> When I do fuzz test for bonding device interface, I got the following
>> use-after-free Calltrace:
>>
>
> [...]
>
>> Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after
>> kobject_add)
>> Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
>> ---
>> drivers/net/bonding/bond_sysfs_slave.c | 11 ++++++++---
>> 1 file changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/bonding/bond_sysfs_slave.c
>> b/drivers/net/bonding/bond_sysfs_slave.c
>> index fd07561..d1a5b3f 100644
>> --- a/drivers/net/bonding/bond_sysfs_slave.c
>> +++ b/drivers/net/bonding/bond_sysfs_slave.c
>> @@ -137,18 +137,23 @@ static ssize_t slave_show(struct kobject *kobj,
>>
>> int bond_sysfs_slave_add(struct slave *slave) {
>> - const struct slave_attribute **a;
>> + const struct slave_attribute **a, **b;
>> int err;
>>
>> for (a = slave_attrs; *a; ++a) {
>> err = sysfs_create_file(&slave->kobj, &((*a)->attr));
>> if (err) {
>> - kobject_put(&slave->kobj);
>> - return err;
>> + goto err_remove_file;
>> }
>> }
>>
>> return 0;
>> +
>> +err_remove_file:
>> + for (b = slave_attrs; b < a; ++b)
>> + sysfs_remove_file(&slave->kobj, &((*b)->attr));
>> +
>> + return err;
>> }
>>
>
> This looks like a candidate for sysfs_create_files(), no?
>
>> void bond_sysfs_slave_del(struct slave *slave)
>>
>
prev parent reply other threads:[~2021-11-02 8:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-01 14:34 [PATCH -next] bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed Huang Guobin
2021-11-01 19:30 ` Julian Wiedmann
2021-11-02 2:55 ` huangguobin
2021-11-02 7:59 ` Julian Wiedmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3454aa3-a502-d02d-be4e-e6393eed026b@linux.ibm.com \
--to=jwi@linux.ibm.com \
--cc=huangguobin4@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.