aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornikolay@redhat.com <nikolay@redhat.com>2013-05-17 21:18:31 -0400
committerDavid S. Miller <davem@davemloft.net>2013-05-20 02:25:49 -0400
commit318debd897735fe834545b6f3d2e96bcc9210b9f (patch)
tree26c391376d3ee7b7f1d58819f320b31a7dfaf016
parent5a5c5fd48e3bcd57572e9a7a4964ed8f38a20b87 (diff)
bonding: fix multiple 3ad mode sysfs race conditions
When bond_3ad_get_active_agg_info() is used in all show_ad_ functions it is not protected against slave manipulation and since it walks over the slaves and uses them, this can easily result in NULL pointer dereference or use of freed memory. Both the new wrapper and the internal function are exported to the bonding as they're needed in different places. Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/bonding/bond_3ad.c21
-rw-r--r--drivers/net/bonding/bond_3ad.h2
-rw-r--r--drivers/net/bonding/bond_procfs.c2
-rw-r--r--drivers/net/bonding/bond_sysfs.c9
4 files changed, 24 insertions, 10 deletions
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index fc58d118d844..390061d09693 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -2360,14 +2360,15 @@ int bond_3ad_set_carrier(struct bonding *bond)
2360} 2360}
2361 2361
2362/** 2362/**
2363 * bond_3ad_get_active_agg_info - get information of the active aggregator 2363 * __bond_3ad_get_active_agg_info - get information of the active aggregator
2364 * @bond: bonding struct to work on 2364 * @bond: bonding struct to work on
2365 * @ad_info: ad_info struct to fill with the bond's info 2365 * @ad_info: ad_info struct to fill with the bond's info
2366 * 2366 *
2367 * Returns: 0 on success 2367 * Returns: 0 on success
2368 * < 0 on error 2368 * < 0 on error
2369 */ 2369 */
2370int bond_3ad_get_active_agg_info(struct bonding *bond, struct ad_info *ad_info) 2370int __bond_3ad_get_active_agg_info(struct bonding *bond,
2371 struct ad_info *ad_info)
2371{ 2372{
2372 struct aggregator *aggregator = NULL; 2373 struct aggregator *aggregator = NULL;
2373 struct port *port; 2374 struct port *port;
@@ -2391,6 +2392,18 @@ int bond_3ad_get_active_agg_info(struct bonding *bond, struct ad_info *ad_info)
2391 return -1; 2392 return -1;
2392} 2393}
2393 2394
2395/* Wrapper used to hold bond->lock so no slave manipulation can occur */
2396int bond_3ad_get_active_agg_info(struct bonding *bond, struct ad_info *ad_info)
2397{
2398 int ret;
2399
2400 read_lock(&bond->lock);
2401 ret = __bond_3ad_get_active_agg_info(bond, ad_info);
2402 read_unlock(&bond->lock);
2403
2404 return ret;
2405}
2406
2394int bond_3ad_xmit_xor(struct sk_buff *skb, struct net_device *dev) 2407int bond_3ad_xmit_xor(struct sk_buff *skb, struct net_device *dev)
2395{ 2408{
2396 struct slave *slave, *start_at; 2409 struct slave *slave, *start_at;
@@ -2402,8 +2415,8 @@ int bond_3ad_xmit_xor(struct sk_buff *skb, struct net_device *dev)
2402 struct ad_info ad_info; 2415 struct ad_info ad_info;
2403 int res = 1; 2416 int res = 1;
2404 2417
2405 if (bond_3ad_get_active_agg_info(bond, &ad_info)) { 2418 if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
2406 pr_debug("%s: Error: bond_3ad_get_active_agg_info failed\n", 2419 pr_debug("%s: Error: __bond_3ad_get_active_agg_info failed\n",
2407 dev->name); 2420 dev->name);
2408 goto out; 2421 goto out;
2409 } 2422 }
diff --git a/drivers/net/bonding/bond_3ad.h b/drivers/net/bonding/bond_3ad.h
index 0cfaa4afdece..5d91ad0cc041 100644
--- a/drivers/net/bonding/bond_3ad.h
+++ b/drivers/net/bonding/bond_3ad.h
@@ -273,6 +273,8 @@ void bond_3ad_adapter_speed_changed(struct slave *slave);
273void bond_3ad_adapter_duplex_changed(struct slave *slave); 273void bond_3ad_adapter_duplex_changed(struct slave *slave);
274void bond_3ad_handle_link_change(struct slave *slave, char link); 274void bond_3ad_handle_link_change(struct slave *slave, char link);
275int bond_3ad_get_active_agg_info(struct bonding *bond, struct ad_info *ad_info); 275int bond_3ad_get_active_agg_info(struct bonding *bond, struct ad_info *ad_info);
276int __bond_3ad_get_active_agg_info(struct bonding *bond,
277 struct ad_info *ad_info);
276int bond_3ad_xmit_xor(struct sk_buff *skb, struct net_device *dev); 278int bond_3ad_xmit_xor(struct sk_buff *skb, struct net_device *dev);
277int bond_3ad_lacpdu_recv(const struct sk_buff *skb, struct bonding *bond, 279int bond_3ad_lacpdu_recv(const struct sk_buff *skb, struct bonding *bond,
278 struct slave *slave); 280 struct slave *slave);
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index 94d06f1307b8..4060d41f0ee7 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -130,7 +130,7 @@ static void bond_info_show_master(struct seq_file *seq)
130 seq_printf(seq, "Aggregator selection policy (ad_select): %s\n", 130 seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",
131 ad_select_tbl[bond->params.ad_select].modename); 131 ad_select_tbl[bond->params.ad_select].modename);
132 132
133 if (bond_3ad_get_active_agg_info(bond, &ad_info)) { 133 if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
134 seq_printf(seq, "bond %s has no active aggregator\n", 134 seq_printf(seq, "bond %s has no active aggregator\n",
135 bond->dev->name); 135 bond->dev->name);
136 } else { 136 } else {
diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
index 77ea237de900..d7434e0a610e 100644
--- a/drivers/net/bonding/bond_sysfs.c
+++ b/drivers/net/bonding/bond_sysfs.c
@@ -1319,7 +1319,6 @@ static ssize_t bonding_show_mii_status(struct device *d,
1319} 1319}
1320static DEVICE_ATTR(mii_status, S_IRUGO, bonding_show_mii_status, NULL); 1320static DEVICE_ATTR(mii_status, S_IRUGO, bonding_show_mii_status, NULL);
1321 1321
1322
1323/* 1322/*
1324 * Show current 802.3ad aggregator ID. 1323 * Show current 802.3ad aggregator ID.
1325 */ 1324 */
@@ -1333,7 +1332,7 @@ static ssize_t bonding_show_ad_aggregator(struct device *d,
1333 if (bond->params.mode == BOND_MODE_8023AD) { 1332 if (bond->params.mode == BOND_MODE_8023AD) {
1334 struct ad_info ad_info; 1333 struct ad_info ad_info;
1335 count = sprintf(buf, "%d\n", 1334 count = sprintf(buf, "%d\n",
1336 (bond_3ad_get_active_agg_info(bond, &ad_info)) 1335 bond_3ad_get_active_agg_info(bond, &ad_info)
1337 ? 0 : ad_info.aggregator_id); 1336 ? 0 : ad_info.aggregator_id);
1338 } 1337 }
1339 1338
@@ -1355,7 +1354,7 @@ static ssize_t bonding_show_ad_num_ports(struct device *d,
1355 if (bond->params.mode == BOND_MODE_8023AD) { 1354 if (bond->params.mode == BOND_MODE_8023AD) {
1356 struct ad_info ad_info; 1355 struct ad_info ad_info;
1357 count = sprintf(buf, "%d\n", 1356 count = sprintf(buf, "%d\n",
1358 (bond_3ad_get_active_agg_info(bond, &ad_info)) 1357 bond_3ad_get_active_agg_info(bond, &ad_info)
1359 ? 0 : ad_info.ports); 1358 ? 0 : ad_info.ports);
1360 } 1359 }
1361 1360
@@ -1377,7 +1376,7 @@ static ssize_t bonding_show_ad_actor_key(struct device *d,
1377 if (bond->params.mode == BOND_MODE_8023AD) { 1376 if (bond->params.mode == BOND_MODE_8023AD) {
1378 struct ad_info ad_info; 1377 struct ad_info ad_info;
1379 count = sprintf(buf, "%d\n", 1378 count = sprintf(buf, "%d\n",
1380 (bond_3ad_get_active_agg_info(bond, &ad_info)) 1379 bond_3ad_get_active_agg_info(bond, &ad_info)
1381 ? 0 : ad_info.actor_key); 1380 ? 0 : ad_info.actor_key);
1382 } 1381 }
1383 1382
@@ -1399,7 +1398,7 @@ static ssize_t bonding_show_ad_partner_key(struct device *d,
1399 if (bond->params.mode == BOND_MODE_8023AD) { 1398 if (bond->params.mode == BOND_MODE_8023AD) {
1400 struct ad_info ad_info; 1399 struct ad_info ad_info;
1401 count = sprintf(buf, "%d\n", 1400 count = sprintf(buf, "%d\n",
1402 (bond_3ad_get_active_agg_info(bond, &ad_info)) 1401 bond_3ad_get_active_agg_info(bond, &ad_info)
1403 ? 0 : ad_info.partner_key); 1402 ? 0 : ad_info.partner_key);
1404 } 1403 }
1405 1404