| Message ID | 1354189079-15754-1-git-send-email-nikolay@redhat.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
Nikolay Aleksandrov <nikolay@redhat.com> wrote: > Race between bonding_store_slaves_active() and slave manipulation > functions. The bond_for_each_slave use in bonding_store_slaves_active() > is not protected by any synchronization mechanism. > NULL pointer dereference is easy to reach. > Fixed by acquiring the bond->lock for the slave walk. > > v2: Make description text < 75 columns > >Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> >--- > drivers/net/bonding/bond_sysfs.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c >index ef8d2a0..ba4f95b 100644 >--- a/drivers/net/bonding/bond_sysfs.c >+++ b/drivers/net/bonding/bond_sysfs.c >@@ -1582,6 +1582,7 @@ static ssize_t bonding_store_slaves_active(struct device *d, > goto out; > } > >+ read_lock(&bond->lock); > bond_for_each_slave(bond, slave, i) { > if (!bond_is_active_slave(slave)) { > if (new_value) >@@ -1590,6 +1591,7 @@ static ssize_t bonding_store_slaves_active(struct device *d, > slave->inactive = 1; > } > } >+ read_unlock(&bond->lock); > out: > return ret; > } >-- >1.7.11.7 > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Jay Vosburgh <fubar@us.ibm.com> Date: Thu, 29 Nov 2012 09:37:56 -0800 > Nikolay Aleksandrov <nikolay@redhat.com> wrote: > >> Race between bonding_store_slaves_active() and slave manipulation >> functions. The bond_for_each_slave use in bonding_store_slaves_active() >> is not protected by any synchronization mechanism. >> NULL pointer dereference is easy to reach. >> Fixed by acquiring the bond->lock for the slave walk. >> >> v2: Make description text < 75 columns >> >>Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> > > Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c index ef8d2a0..ba4f95b 100644 --- a/drivers/net/bonding/bond_sysfs.c +++ b/drivers/net/bonding/bond_sysfs.c @@ -1582,6 +1582,7 @@ static ssize_t bonding_store_slaves_active(struct device *d, goto out; } + read_lock(&bond->lock); bond_for_each_slave(bond, slave, i) { if (!bond_is_active_slave(slave)) { if (new_value) @@ -1590,6 +1591,7 @@ static ssize_t bonding_store_slaves_active(struct device *d, slave->inactive = 1; } } + read_unlock(&bond->lock); out: return ret; }
Race between bonding_store_slaves_active() and slave manipulation functions. The bond_for_each_slave use in bonding_store_slaves_active() is not protected by any synchronization mechanism. NULL pointer dereference is easy to reach. Fixed by acquiring the bond->lock for the slave walk. v2: Make description text < 75 columns Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> --- drivers/net/bonding/bond_sysfs.c | 2 ++ 1 file changed, 2 insertions(+)