net-sysfs: fix NULL pointer dereference

Message ID	20250305235307.14829-1-qasdev00@gmail.com (mailing list archive)
State	New
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C315207A2A; Wed, 5 Mar 2025 23:53:48 +0000 (UTC) From: Qasim Ijaz <qasdev00@gmail.com> To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, atenart@kernel.org, jdamato@fastly.com, aleksander.lobakin@intel.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net-sysfs: fix NULL pointer dereference Date: Wed, 5 Mar 2025 23:53:07 +0000 Message-Id: <20250305235307.14829-1-qasdev00@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	net-sysfs: fix NULL pointer dereference \| expand net-sysfs: fix NULL pointer dereference

Message ID

20250305235307.14829-1-qasdev00@gmail.com (mailing list archive)

State

New

Delegated to:

Netdev Maintainers

Headers

From: Qasim Ijaz <qasdev00@gmail.com>
To: davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	horms@kernel.org,
	atenart@kernel.org,
	jdamato@fastly.com,
	aleksander.lobakin@intel.com
Cc: netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] net-sysfs: fix NULL pointer dereference
Date: Wed,  5 Mar 2025 23:53:07 +0000
Message-Id: <20250305235307.14829-1-qasdev00@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

net-sysfs: fix NULL pointer dereference | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 6 of 6 maintainers
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	success	net-next-2025-03-06--03-00 (tests: 894)

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

success

CCed 6 of 6 maintainers

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 9 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

success

net-next-2025-03-06--03-00 (tests: 894)

Commit Message

Qasim Ijaz March 5, 2025, 11:53 p.m. UTC

Commit <79c61899b5ee> introduces a potential NULL pointer dereference 
in the sysfs_rtnl_lock() function when initialising kn:

	kn = sysfs_break_active_protection(kobj, attr);
	
The commit overlooks the fact that sysfs_break_active_protection can 
return NULL if kernfs_find_and_get() fails to find and get the kernfs_node 
with the given name. 

Later on the code calls sysfs_unbreak_active_protection(kn) 
unconditionally, which could lead to a NULL pointer dereference.

Resolve this bug by introducing a NULL check before using kn
in the sysfs_unbreak_active_protection() call.

Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Fixes: 79c61899b5ee ("net-sysfs: remove rtnl_trylock from device attributes")
---
 net/core/net-sysfs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Antoine Tenart March 6, 2025, 8:12 a.m. UTC | #1

Quoting Qasim Ijaz (2025-03-06 00:53:07)
> Commit <79c61899b5ee> introduces a potential NULL pointer dereference 
> in the sysfs_rtnl_lock() function when initialising kn:
> 
>         kn = sysfs_break_active_protection(kobj, attr);
>         
> The commit overlooks the fact that sysfs_break_active_protection can 
> return NULL if kernfs_find_and_get() fails to find and get the kernfs_node 
> with the given name. 

If it fails to get it, should we let sysfs_rtnl_lock continue is
execution?

> Later on the code calls sysfs_unbreak_active_protection(kn) 
> unconditionally, which could lead to a NULL pointer dereference.
> 
> Resolve this bug by introducing a NULL check before using kn
> in the sysfs_unbreak_active_protection() call.

Did you see this in practice? Can you describe what led to this?

Thanks!
Antoine

> Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> Fixes: 79c61899b5ee ("net-sysfs: remove rtnl_trylock from device attributes")
> ---
>  net/core/net-sysfs.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index 8d9dc048a548..c5085588e536 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -117,7 +117,8 @@ static int sysfs_rtnl_lock(struct kobject *kobj, struct attribute *attr,
>          * the rtnl lock.
>          */
>  unbreak:
> -       sysfs_unbreak_active_protection(kn);
> +       if (kn)
> +               sysfs_unbreak_active_protection(kn);
>         dev_put(ndev);
>  
>         return ret;
> -- 
> 2.39.5
> 
>

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 8d9dc048a548..c5085588e536 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -117,7 +117,8 @@  static int sysfs_rtnl_lock(struct kobject *kobj, struct attribute *attr,
 	 * the rtnl lock.
 	 */
 unbreak:
-	sysfs_unbreak_active_protection(kn);
+	if (kn)
+		sysfs_unbreak_active_protection(kn);
 	dev_put(ndev);
 
 	return ret;

net-sysfs: fix NULL pointer dereference

Checks

Commit Message

Comments

Patch