Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Message-ID: <d3454aa3-a502-d02d-be4e-e6393eed026b@linux.ibm.com>
Date:   Tue, 2 Nov 2021 08:59:39 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.0
Subject: Re: [PATCH -next] bonding: Fix a use-after-free problem when
 bond_sysfs_slave_add() failed
Content-Language: en-US
To:     huangguobin <huangguobin4@huawei.com>
Cc:     "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <1635777273-46028-1-git-send-email-huangguobin4@huawei.com>
 <d6cd47b1-3b46-fc44-3a8d-b2444af527e6@linux.ibm.com>
 <5c02fbac130941a1a8578965975116b5@huawei.com>
From:   Julian Wiedmann <jwi@linux.ibm.com>
In-Reply-To: <5c02fbac130941a1a8578965975116b5@huawei.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Precedence: bulk

On 02.11.21 03:55, huangguobin wrote:
> I think bond_sysfs_slave_del should not be used in the error handling process, because bond_sysfs_slave_del will traverse all slave_attrs and release them. When sysfs_create_file fails, only some attributes may be created successfully.

[please don't top-post]

The suggestion was to use sysfs_create_files(), which would handle such rollback
internally. There was no mention of using bond_sysfs_slave_del().

ie. something like the following (untested):

diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
index fd07561da034..a1fd4bc0b0d2 100644
--- a/drivers/net/bonding/bond_sysfs_slave.c
+++ b/drivers/net/bonding/bond_sysfs_slave.c
@@ -108,15 +108,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
 }
 static SLAVE_ATTR_RO(ad_partner_oper_port_state);
 
-static const struct slave_attribute *slave_attrs[] = {
-       &slave_attr_state,
-       &slave_attr_mii_status,
-       &slave_attr_link_failure_count,
-       &slave_attr_perm_hwaddr,
-       &slave_attr_queue_id,
-       &slave_attr_ad_aggregator_id,
-       &slave_attr_ad_actor_oper_port_state,
-       &slave_attr_ad_partner_oper_port_state,
+static const struct attribute *slave_attrs[] = {
+       &slave_attr_state.attr,
+       &slave_attr_mii_status.attr,
+       &slave_attr_link_failure_count.attr,
+       &slave_attr_perm_hwaddr.attr,
+       &slave_attr_queue_id.attr,
+       &slave_attr_ad_aggregator_id.attr,
+       &slave_attr_ad_actor_oper_port_state.attr,
+       &slave_attr_ad_partner_oper_port_state.attr,
        NULL
 };
 
@@ -137,24 +137,16 @@ const struct sysfs_ops slave_sysfs_ops = {
 
 int bond_sysfs_slave_add(struct slave *slave)
 {
-       const struct slave_attribute **a;
        int err;
 
-       for (a = slave_attrs; *a; ++a) {
-               err = sysfs_create_file(&slave->kobj, &((*a)->attr));
-               if (err) {
-                       kobject_put(&slave->kobj);
-                       return err;
-               }
-       }
+       err = sysfs_create_files(&slave->kobj, slave_attrs);
+       if (err)
+               kobject_put(&slave->kobj);
 
-       return 0;
+       return err;
 }
 
 void bond_sysfs_slave_del(struct slave *slave)
 {
-       const struct slave_attribute **a;
-
-       for (a = slave_attrs; *a; ++a)
-               sysfs_remove_file(&slave->kobj, &((*a)->attr));
+       sysfs_remove_files(&slave->kobj, slave_attrs);
 }


> -----Original Message-----
> From: Julian Wiedmann [mailto:jwi@linux.ibm.com] 
> Sent: Tuesday, November 2, 2021 3:31 AM
> To: huangguobin <huangguobin4@huawei.com>; j.vosburgh@gmail.com; vfalico@gmail.com; andy@greyhouse.net; davem@davemloft.net; kuba@kernel.org
> Cc: netdev@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH -next] bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
> 
> On 01.11.21 15:34, Huang Guobin wrote:
>> When I do fuzz test for bonding device interface, I got the following 
>> use-after-free Calltrace:
>>
> 
> [...]
> 
>> Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after 
>> kobject_add)
>> Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
>> ---
>>  drivers/net/bonding/bond_sysfs_slave.c | 11 ++++++++---
>>  1 file changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/bonding/bond_sysfs_slave.c 
>> b/drivers/net/bonding/bond_sysfs_slave.c
>> index fd07561..d1a5b3f 100644
>> --- a/drivers/net/bonding/bond_sysfs_slave.c
>> +++ b/drivers/net/bonding/bond_sysfs_slave.c
>> @@ -137,18 +137,23 @@ static ssize_t slave_show(struct kobject *kobj,
>>  
>>  int bond_sysfs_slave_add(struct slave *slave)  {
>> -	const struct slave_attribute **a;
>> +	const struct slave_attribute **a, **b;
>>  	int err;
>>  
>>  	for (a = slave_attrs; *a; ++a) {
>>  		err = sysfs_create_file(&slave->kobj, &((*a)->attr));
>>  		if (err) {
>> -			kobject_put(&slave->kobj);
>> -			return err;
>> +			goto err_remove_file;
>>  		}
>>  	}
>>  
>>  	return 0;
>> +
>> +err_remove_file:
>> +	for (b = slave_attrs; b < a; ++b)
>> +		sysfs_remove_file(&slave->kobj, &((*b)->attr));
>> +
>> +	return err;
>>  }
>>  
> 
> This looks like a candidate for sysfs_create_files(), no?
> 
>>  void bond_sysfs_slave_del(struct slave *slave)
>>
>