| From 90306b14c3e88b5f3175978539cf7e566a3b7e7f Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 17 May 2021 16:13:35 +0200 |
| Subject: bonding: init notify_work earlier to avoid uninitialized use |
| |
| From: Johannes Berg <johannes.berg@intel.com> |
| |
| [ Upstream commit 35d96e631860226d5dc4de0fad0a415362ec2457 ] |
| |
| If bond_kobj_init() or later kzalloc() in bond_alloc_slave() fail, |
| then we call kobject_put() on the slave->kobj. This in turn calls |
| the release function slave_kobj_release() which will always try to |
| cancel_delayed_work_sync(&slave->notify_work), which shouldn't be |
| done on an uninitialized work struct. |
| |
| Always initialize the work struct earlier to avoid problems here. |
| |
| Syzbot bisected this down to a completely pointless commit, some |
| fault injection may have been at work here that caused the alloc |
| failure in the first place, which may interact badly with bisect. |
| |
| Reported-by: syzbot+bfda097c12a00c8cae67@syzkaller.appspotmail.com |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/bonding/bond_main.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c |
| index 74cbbb22470b..fa4bf727a48d 100644 |
| --- a/drivers/net/bonding/bond_main.c |
| +++ b/drivers/net/bonding/bond_main.c |
| @@ -1526,6 +1526,7 @@ static struct slave *bond_alloc_slave(struct bonding *bond, |
| |
| slave->bond = bond; |
| slave->dev = slave_dev; |
| + INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work); |
| |
| if (bond_kobj_init(slave)) |
| return NULL; |
| @@ -1538,7 +1539,6 @@ static struct slave *bond_alloc_slave(struct bonding *bond, |
| return NULL; |
| } |
| } |
| - INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work); |
| |
| return slave; |
| } |
| -- |
| 2.30.2 |
| |