mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-29 14:05:19 +08:00
0c49ae7a8d
[ Upstream commitb93c6a911a] When I do fuzz test for bonding device interface, I got the following use-after-free Calltrace: ================================================================== BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0 Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365 CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 Call Trace: dump_stack_lvl+0x6c/0x8b print_address_description.constprop.0+0x48/0x70 kasan_report.cold+0x82/0xdb __asan_load8+0x69/0x90 bond_enslave+0x1521/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f19159cf577 Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78 RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577 RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003 RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000 R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0 Allocated by task 7365: kasan_save_stack+0x23/0x50 __kasan_kmalloc+0x83/0xa0 kmem_cache_alloc_trace+0x22e/0x470 bond_enslave+0x2e1/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 7365: kasan_save_stack+0x23/0x50 kasan_set_track+0x20/0x30 kasan_set_free_info+0x24/0x40 __kasan_slab_free+0xf2/0x130 kfree+0xd1/0x5c0 slave_kobj_release+0x61/0x90 kobject_put+0x102/0x180 bond_sysfs_slave_add+0x7a/0xa0 bond_enslave+0x11b6/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x23/0x50 kasan_record_aux_stack+0xb7/0xd0 insert_work+0x43/0x190 __queue_work+0x2e3/0x970 delayed_work_timer_fn+0x3e/0x50 call_timer_fn+0x148/0x470 run_timer_softirq+0x8a8/0xc50 __do_softirq+0x107/0x55f Second to last potentially related work creation: kasan_save_stack+0x23/0x50 kasan_record_aux_stack+0xb7/0xd0 insert_work+0x43/0x190 __queue_work+0x2e3/0x970 __queue_delayed_work+0x130/0x180 queue_delayed_work_on+0xa7/0xb0 bond_enslave+0xe25/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88825bc11c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of 1024-byte region [ffff88825bc11c00, ffff88825bc12000) The buggy address belongs to the page: page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10 head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0 raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems when new_slave is accessed in the subsequent error handling process. Since new_slave will be put in the subsequent error handling process, remove the unnecessary put to fix it. In addition, when sysfs_create_file() fails, if some files have been crea- ted successfully, we need to call sysfs_remove_file() to remove them. Since there are sysfs_create_files() & sysfs_remove_files() can be used, use these two functions instead. Fixes:7afcaec496(bonding: use kobject_put instead of _del after kobject_add) Signed-off-by: Huang Guobin <huangguobin4@huawei.com> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
147 lines
3.6 KiB
C
147 lines
3.6 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Sysfs attributes of bond slaves
|
|
*
|
|
* Copyright (c) 2014 Scott Feldman <sfeldma@cumulusnetworks.com>
|
|
*/
|
|
|
|
#include <linux/capability.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <net/bonding.h>
|
|
|
|
struct slave_attribute {
|
|
struct attribute attr;
|
|
ssize_t (*show)(struct slave *, char *);
|
|
};
|
|
|
|
#define SLAVE_ATTR(_name, _mode, _show) \
|
|
const struct slave_attribute slave_attr_##_name = { \
|
|
.attr = {.name = __stringify(_name), \
|
|
.mode = _mode }, \
|
|
.show = _show, \
|
|
};
|
|
#define SLAVE_ATTR_RO(_name) \
|
|
SLAVE_ATTR(_name, 0444, _name##_show)
|
|
|
|
static ssize_t state_show(struct slave *slave, char *buf)
|
|
{
|
|
switch (bond_slave_state(slave)) {
|
|
case BOND_STATE_ACTIVE:
|
|
return sprintf(buf, "active\n");
|
|
case BOND_STATE_BACKUP:
|
|
return sprintf(buf, "backup\n");
|
|
default:
|
|
return sprintf(buf, "UNKNOWN\n");
|
|
}
|
|
}
|
|
static SLAVE_ATTR_RO(state);
|
|
|
|
static ssize_t mii_status_show(struct slave *slave, char *buf)
|
|
{
|
|
return sprintf(buf, "%s\n", bond_slave_link_status(slave->link));
|
|
}
|
|
static SLAVE_ATTR_RO(mii_status);
|
|
|
|
static ssize_t link_failure_count_show(struct slave *slave, char *buf)
|
|
{
|
|
return sprintf(buf, "%d\n", slave->link_failure_count);
|
|
}
|
|
static SLAVE_ATTR_RO(link_failure_count);
|
|
|
|
static ssize_t perm_hwaddr_show(struct slave *slave, char *buf)
|
|
{
|
|
return sprintf(buf, "%*phC\n",
|
|
slave->dev->addr_len,
|
|
slave->perm_hwaddr);
|
|
}
|
|
static SLAVE_ATTR_RO(perm_hwaddr);
|
|
|
|
static ssize_t queue_id_show(struct slave *slave, char *buf)
|
|
{
|
|
return sprintf(buf, "%d\n", slave->queue_id);
|
|
}
|
|
static SLAVE_ATTR_RO(queue_id);
|
|
|
|
static ssize_t ad_aggregator_id_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct aggregator *agg;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
agg = SLAVE_AD_INFO(slave)->port.aggregator;
|
|
if (agg)
|
|
return sprintf(buf, "%d\n",
|
|
agg->aggregator_identifier);
|
|
}
|
|
|
|
return sprintf(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_aggregator_id);
|
|
|
|
static ssize_t ad_actor_oper_port_state_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct port *ad_port;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
ad_port = &SLAVE_AD_INFO(slave)->port;
|
|
if (ad_port->aggregator)
|
|
return sprintf(buf, "%u\n",
|
|
ad_port->actor_oper_port_state);
|
|
}
|
|
|
|
return sprintf(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_actor_oper_port_state);
|
|
|
|
static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct port *ad_port;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
ad_port = &SLAVE_AD_INFO(slave)->port;
|
|
if (ad_port->aggregator)
|
|
return sprintf(buf, "%u\n",
|
|
ad_port->partner_oper.port_state);
|
|
}
|
|
|
|
return sprintf(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_partner_oper_port_state);
|
|
|
|
static const struct attribute *slave_attrs[] = {
|
|
&slave_attr_state.attr,
|
|
&slave_attr_mii_status.attr,
|
|
&slave_attr_link_failure_count.attr,
|
|
&slave_attr_perm_hwaddr.attr,
|
|
&slave_attr_queue_id.attr,
|
|
&slave_attr_ad_aggregator_id.attr,
|
|
&slave_attr_ad_actor_oper_port_state.attr,
|
|
&slave_attr_ad_partner_oper_port_state.attr,
|
|
NULL
|
|
};
|
|
|
|
#define to_slave_attr(_at) container_of(_at, struct slave_attribute, attr)
|
|
|
|
static ssize_t slave_show(struct kobject *kobj,
|
|
struct attribute *attr, char *buf)
|
|
{
|
|
struct slave_attribute *slave_attr = to_slave_attr(attr);
|
|
struct slave *slave = to_slave(kobj);
|
|
|
|
return slave_attr->show(slave, buf);
|
|
}
|
|
|
|
const struct sysfs_ops slave_sysfs_ops = {
|
|
.show = slave_show,
|
|
};
|
|
|
|
int bond_sysfs_slave_add(struct slave *slave)
|
|
{
|
|
return sysfs_create_files(&slave->kobj, slave_attrs);
|
|
}
|
|
|
|
void bond_sysfs_slave_del(struct slave *slave)
|
|
{
|
|
sysfs_remove_files(&slave->kobj, slave_attrs);
|
|
}
|