| Message ID | 20200811203857.40375-1-william.gray@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [Xenial,CVE-2019-20811,v3] net-sysfs: call dev_hold if kobject_init_and_add success | expand |
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 11/08/2020 21:38, William Breathitt Gray wrote: > From: YueHaibing <yuehaibing@huawei.com> > > In netdev_queue_add_kobject and rx_queue_add_kobject, > if sysfs_create_group failed, kobject_put will call > netdev_queue_release to decrease dev refcont, however > dev_hold has not be called. So we will see this while > unregistering dev: > > unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") > Signed-off-by: YueHaibing <yuehaibing@huawei.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2019-20811 > > (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e) > [ William Breathitt Gray: context adjustments ] > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > --- > net/core/net-sysfs.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index eafcbddae408..b997abf5a60c 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > if (dev->sysfs_rx_queue_group) { > error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); > if (error) > @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > } > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return error; > exit: > @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > #ifdef CONFIG_BQL > error = sysfs_create_group(kobj, &dql_group); > if (error) > @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > #endif > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return 0; > exit: > Thanks William, looks fine to me. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to Xenial/master-next. Thanks! Ian On 2020-08-11 16:38:57 , William Breathitt Gray wrote: > From: YueHaibing <yuehaibing@huawei.com> > > In netdev_queue_add_kobject and rx_queue_add_kobject, > if sysfs_create_group failed, kobject_put will call > netdev_queue_release to decrease dev refcont, however > dev_hold has not be called. So we will see this while > unregistering dev: > > unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") > Signed-off-by: YueHaibing <yuehaibing@huawei.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2019-20811 > > (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e) > [ William Breathitt Gray: context adjustments ] > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > --- > net/core/net-sysfs.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index eafcbddae408..b997abf5a60c 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > if (dev->sysfs_rx_queue_group) { > error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); > if (error) > @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > } > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return error; > exit: > @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > #ifdef CONFIG_BQL > error = sysfs_create_group(kobj, &dql_group); > if (error) > @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > #endif > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return 0; > exit: > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index eafcbddae408..b997abf5a60c 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) if (error) goto exit; + dev_hold(queue->dev); + if (dev->sysfs_rx_queue_group) { error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); if (error) @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) } kobject_uevent(kobj, KOBJ_ADD); - dev_hold(queue->dev); return error; exit: @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) if (error) goto exit; + dev_hold(queue->dev); + #ifdef CONFIG_BQL error = sysfs_create_group(kobj, &dql_group); if (error) @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) #endif kobject_uevent(kobj, KOBJ_ADD); - dev_hold(queue->dev); return 0; exit: