Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1003413pxb; Wed, 3 Nov 2021 16:28:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwilZlKJ7w29/7Ua4j/mjDPvIk5k7oYRM+DsJxjePKGKhzE5i0/j0c30zIgH1NZKuxUPc81 X-Received: by 2002:a05:6602:2d88:: with SMTP id k8mr23703427iow.18.1635982105393; Wed, 03 Nov 2021 16:28:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635982105; cv=none; d=google.com; s=arc-20160816; b=ExQcnHX+hTGhjSeICW7kzTlrjFZ1RB+16coO0VDfszRKbJDAPP3m5step7cTmyL9HD 8HP24tkZsQoo9ZcOTPpdc5YLtKQcNsn48Ux/hKV00IKQ0Np8ClapSJXJXkO2s1hUl0Cv 0vjbEUHX4xXVoslmeE06tdIsirdSpgfilqBR9WKJbeqRlI9LVlVUwhkPpRgae+9IiOQj 0q9nmvjRfgA8akTT2ND34HMMSoAbxbbQhx8tVe5yslDo0vQXTGBBkqYzc4SfZc9pqDkA HC34yK/LgoI3onhnZCaDrtIRhx7MMVs97tRdCC5Fb6oiFfCUwyjOhcDJF2eaGe3wS09b 2xUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=XyuwWYcF72THz5WhsetXSgrcSSypwlDwIrn0rr73qDw=; b=EqxIs1JBVEGQ4rAvtNHo5Ypv9R/vmldQQSXIgu6180r5vruE9tIlUdYNVAcJyAr5nk nNbVMLfellojNFEUTOwVbrVZOxMywqHUzeN3Q7DTNwWGExe+gJ38MrLsm6lQ4zPxNJeG qWCwC2MfMPg465E2Uj6gugzo71PZ4EgjeJuk+JDcYJx12cuSBVEjrgEWsK3i+E7dDzBX kQ8RLl+TCripzy0pCmEWqiLCO9BjjKa9iZceKhmIxA+KL+Kt9bShS8oY9Ab+Urhmq/V1 zTsfiSZWQVuS+So55cUHhuk/3VO8gPsS2D81tUeck1lfm7It1k8SydkAR1QxhSYlAxAE MQWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DskdrxLi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m2si2708549ilu.157.2021.11.03.16.28.11; Wed, 03 Nov 2021 16:28:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DskdrxLi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229893AbhKCX3t (ORCPT + 99 others); Wed, 3 Nov 2021 19:29:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:46408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229561AbhKCX3s (ORCPT ); Wed, 3 Nov 2021 19:29:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4176D6103C; Wed, 3 Nov 2021 23:27:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635982031; bh=9/eQnCMcyH6BP7eBC+Q6DAIGNIyNb51H9zuq9ADJcd0=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=DskdrxLiOuoZWACPAOP8l0+11zG1UZqpQQNLIYVMjija/KrcX6DmCxlL0CQdlxr9q zPpVZW0Pp9R0KWX2VcD+JGkvg1cm+AusDZ/VEtxMMmZAZd9Qgy9oJ2j0KPUfUtRdcx jdK9qR46+5ARnVxPG53EE5o6A9K3qY7ggzir6+VC1gP9DE/VhEiICMcE1oBBYa893h luw0jIR+z+JWc4l3xda67mVxpJGhxxgOnuiQfzFehEjsm/algYy9LSutNxX77HWf/9 KOwK70Akzz/uXmF7z2lrG2C1PdxHrFmVHTWKaNNOxAbLb0El/YtTlGmBz9fjMHsIgg XPb8UZ7lrru/Q== Date: Wed, 3 Nov 2021 16:27:10 -0700 From: Jakub Kicinski To: Huang Guobin Cc: , , , , , Subject: Re: [PATCH -next v2] bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed Message-ID: <20211103162710.74755593@kicinski-fedora-PC1C0HJN> In-Reply-To: <1635845853-4259-1-git-send-email-huangguobin4@huawei.com> References: <1635845853-4259-1-git-send-email-huangguobin4@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Nov 2021 17:37:33 +0800 Huang Guobin wrote: > When I do fuzz test for bonding device interface, I got the following > use-after-free Calltrace: > Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems > when new_slave is accessed in the subsequent error handling process. Since > new_slave will be put in the subsequent error handling process, remove the > unnecessary put to fix it. > In addition, when sysfs_create_file() fails, if some files have been crea- > ted successfully, we need to call sysfs_remove_file() to remove them. > Since there are sysfs_create_files() & sysfs_remove_files() can be used, > use these two functions instead. > > Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add) > Signed-off-by: Huang Guobin Reviewed-by: Jakub Kicinski