| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <59607f35-f9af-47f3-bbb2-cf9e4ddee391@gmail.com>
Date: Tue, 22 Jun 2021 19:53:03 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: zhudi <zhudi21@...wei.com>, j.vosburgh@...il.com,
vfalico@...il.com, kuba@...nel.org, davem@...emloft.net
Cc: netdev@...r.kernel.org, rose.chen@...wei.com
Subject: Re: [PATCH] bonding: avoid adding slave device with IFF_MASTER flag
On 6/22/21 5:09 AM, zhudi wrote:
> From: Di Zhu <zhudi21@...wei.com>
>
> The following steps will definitely cause the kernel to crash:
> ip link add vrf1 type vrf table 1
> modprobe bonding.ko max_bonds=1
> echo "+vrf1" >/sys/class/net/bond0/bonding/slaves
> rmmod bonding
>
> The root cause is that: When the VRF is added to the slave device,
> it will fail, and some cleaning work will be done. because VRF device
> has IFF_MASTER flag, cleanup process will not clear the IFF_BONDING flag.
> Then, when we unload the bonding module, unregister_netdevice_notifier()
> will treat the VRF device as a bond master device and treat netdev_priv()
> as struct bonding{} which actually is struct net_vrf{}.
>
> By analyzing the processing logic of bond_enslave(), it seems that
> it is not allowed to add the slave device with the IFF_MASTER flag, so
> we need to add a code check for this situation.
>
> Signed-off-by: Di Zhu <zhudi21@...wei.com>
> ---
> drivers/net/bonding/bond_main.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index c5a646d06102..16840c9bc00d 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -1601,6 +1601,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
> int link_reporting;
> int res = 0, i;
>
> + if (slave_dev->flags & IFF_MASTER) {
Missing NL_SET_ERR_MSG( ?
> + netdev_err(bond_dev,
> + "Error: Device with IFF_MASTER cannot be enslaved\n");
> + return -EPERM;
> + }
> +
> if (!bond->params.use_carrier &&
> slave_dev->ethtool_ops->get_link == NULL &&
> slave_ops->ndo_do_ioctl == NULL) {
>
This is strange, can you tell us why we keep the following lines after your patch ?
if (bond_dev == slave_dev) {
NL_SET_ERR_MSG(extack, "Cannot enslave bond to itself.");
netdev_err(bond_dev, "cannot enslave bond to itself.\n");
return -EPERM;
}
I was under the impression that a stack of bonding devices was allowed.
Powered by blists - more mailing lists