From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Mahesh Bandewar <maheshb@google.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 17/25] bonding: fix potential NULL deref in bond_update_slave_arr
Date: Fri, 25 Oct 2019 09:57:05 -0400 [thread overview]
Message-ID: <20191025135715.25468-17-sashal@kernel.org> (raw)
In-Reply-To: <20191025135715.25468-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a7137534b597b7c303203e6bc3ed87e87a273bb8 ]
syzbot got a NULL dereference in bond_update_slave_arr() [1],
happening after a failure to allocate bond->slave_arr
A workqueue (bond_slave_arr_handler) is supposed to retry
the allocation later, but if the slave is removed before
the workqueue had a chance to complete, bond->slave_arr
can still be NULL.
[1]
Failed to build slave-array.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
FS: 00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
[<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
[<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
[<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
[<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
[<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
[<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
[<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
[<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
[<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
[<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
[<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
[<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
[<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
[<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
Fixes: ee6377147409 ("bonding: Simplify the xmit function for modes that use xmit_hash")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Mahesh Bandewar <maheshb@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index c1eeba1906fdb..1cc4c99aa504b 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3992,7 +3992,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
* this to-be-skipped slave to send a packet out.
*/
old_arr = rtnl_dereference(bond->slave_arr);
- for (idx = 0; idx < old_arr->count; idx++) {
+ for (idx = 0; old_arr != NULL && idx < old_arr->count; idx++) {
if (skipslave == old_arr->arr[idx]) {
old_arr->arr[idx] =
old_arr->arr[old_arr->count-1];
--
2.20.1
next prev parent reply other threads:[~2019-10-25 13:57 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 13:56 [PATCH AUTOSEL 4.14 01/25] PCI/ASPM: Do not initialize link state when aspm_disabled is set Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 02/25] HID: i2c-hid: Add Odys Winbook 13 to descriptor override Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 03/25] ACPI: video: Use vendor backlight on Sony VPCEH3U1E Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 04/25] Fixed https://bugzilla.kernel.org/show_bug.cgi?id=202935 allow write on the same file Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 05/25] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 06/25] scsi: qedf: Do not retry ELS request if qedf_alloc_cmd fails Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 07/25] driver core: platform: Fix the usage of platform device name(pdev->name) Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 08/25] powerpc/pseries/hvconsole: Fix stack overread via udbg Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 09/25] scsi: RDMA/srp: Fix a sleep-in-invalid-context bug Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 10/25] drm/msm: stop abusing dma_map/unmap for cache Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.14 11/25] drm/msm: Use the correct dma_sync calls in msm_gem Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 12/25] sch_netem: fix rcu splat in netem_enqueue() Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 13/25] rxrpc: Fix call ref leak Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 14/25] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 15/25] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 16/25] NFC: pn533: fix use-after-free and memleaks Sasha Levin
2019-10-25 13:57 ` Sasha Levin [this message]
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 18/25] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 19/25] jbd2: flush_descriptor(): Do not decrease buffer head's ref count Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 20/25] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 21/25] Btrfs: fix hang when loading existing inode cache off disk Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 22/25] ubi: ubi_wl_get_peb: Increase the number of attempts while getting PEB Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 23/25] RDMA/iwcm: Fix a lock inversion issue Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 24/25] ipv6: Handle race in addrconf_dad_work Sasha Levin
2019-10-25 13:57 ` [PATCH AUTOSEL 4.14 25/25] bdi: Do not use freezable workqueue Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191025135715.25468-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=edumazet@google.com \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox