Patch "bonding: init notify_work earlier to avoid uninitialized use" has been added to the 4.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 10 Jun 2021 22:17:13 -0400

This is a note to let you know that I've just added the patch titled

    bonding: init notify_work earlier to avoid uninitialized use

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bonding-init-notify_work-earlier-to-avoid-uninitiali.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a7a591a05917cc634d8fc88cf235ab24aa35857a
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date:   Mon May 17 16:13:35 2021 +0200

    bonding: init notify_work earlier to avoid uninitialized use
    
    [ Upstream commit 35d96e631860226d5dc4de0fad0a415362ec2457 ]
    
    If bond_kobj_init() or later kzalloc() in bond_alloc_slave() fail,
    then we call kobject_put() on the slave->kobj. This in turn calls
    the release function slave_kobj_release() which will always try to
    cancel_delayed_work_sync(&slave->notify_work), which shouldn't be
    done on an uninitialized work struct.
    
    Always initialize the work struct earlier to avoid problems here.
    
    Syzbot bisected this down to a completely pointless commit, some
    fault injection may have been at work here that caused the alloc
    failure in the first place, which may interact badly with bisect.
    
    Reported-by: syzbot+bfda097c12a00c8cae67@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Acked-by: Jay Vosburgh <jay.vosburgh@xxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index a33e8a3b5f0a..d6363ae22052 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1267,6 +1267,7 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
 
 	slave->bond = bond;
 	slave->dev = slave_dev;
+	INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
 
 	if (bond_kobj_init(slave))
 		return NULL;
@@ -1279,7 +1280,6 @@ static struct slave *bond_alloc_slave(struct bonding *bond,
 			return NULL;
 		}
 	}
-	INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
 
 	return slave;
 }






