Skip to content

GitLab

Switch branch/tag
History Find file
Clone
net: bonding: fix use-after-free after 802.3ad slave unbind
Yevhen Orlov authored 
commit 050133e1 upstream.

commit 0622cab0 ("bonding: fix 802.3ad aggregator reselection"),
resolve case, when there is several aggregation groups in the same bond.
bond_3ad_unbind_slave will invalidate (clear) aggregator when
__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
will not update slave ports list, because lag_ports==NULL. So, here we
got slave ports, pointing to freed aggregator memory.

Fix with checking actual number of ports in group (as was before
commit 0622cab0 ("bonding: fix 802.3ad aggregator reselection") ),
before ad_clear_agg().

The KASAN logs are as follows:

[  767.617392] ==================================================================
[  767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x...
89382528
Name Last commit Last update
Documentation iio: adc: vf610: fix conversion mode sysfs node name
LICENSES LICENSES: Rename other to deprecated
arch s390: remove unneeded 'select BUILD_BIN2C'
block block: fix bio_clone_blkg_association() to associate with proper blkcg_gq
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist
crypto crypto: drbg - make reseeding from get_random_bytes() synchronous
drivers net: bonding: fix use-after-free after 802.3ad slave unbind
fs afs: Fix dynamic root getattr
include linux/dim: Fix divide by 0 in RDMA DIM
init random: handle latent entropy and command line from random_init()
ipc ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()
kernel kexec_file: drop weak attribute from arch_kexec_apply_relocations[_add]
lib random: remove ratelimiting for in-kernel unseeded randomness
mm random: move randomize_page() into mm where it belongs
net net/sched: act_api: Notify user space if any actions were flushed before error
samples samples/kretprobes: Fix return value if register_kretprobe() failed
scripts modpost: fix section mismatch check for exported init/exit sections
security efi: Do not import certificates from UEFI Secure Boot for T2 Macs
sound ALSA: hda/realtek: Add quirk for Clevo PD70PNT
tools selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test
usr initramfs: restore default compression behavior
virt KVM: Prevent module exit until all VMs are freed
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.