diff mbox series

[Xenial,CVE-2019-20811] net-sysfs: call dev_hold if kobject_init_and_add success

Message ID 20200811200714.39806-1-william.gray@canonical.com
State New
Headers show
Series [Xenial,CVE-2019-20811] net-sysfs: call dev_hold if kobject_init_and_add success | expand

Commit Message

William Breathitt Gray Aug. 11, 2020, 8:07 p.m. UTC
In netdev_queue_add_kobject and rx_queue_add_kobject,
if sysfs_create_group failed, kobject_put will call
netdev_queue_release to decrease dev refcont, however
dev_hold has not be called. So we will see this while
unregistering dev:

unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1

OriginalAuthor: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2019-20811

(backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
[ William Breathitt Gray: context adjustments ]
Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
---
 net/core/net-sysfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

William Breathitt Gray Aug. 11, 2020, 8:35 p.m. UTC | #1
On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote:
> In netdev_queue_add_kobject and rx_queue_add_kobject,
> if sysfs_create_group failed, kobject_put will call
> netdev_queue_release to decrease dev refcont, however
> dev_hold has not be called. So we will see this while
> unregistering dev:
> 
> unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
> 
> OriginalAuthor: YueHaibing <yuehaibing@huawei.com>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2019-20811
> 
> (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
> [ William Breathitt Gray: context adjustments ]
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>

This patch is missing the correct original author From line.

Nacked-by: William Breathitt Gray <william.gray@canonica.com>

> ---
>  net/core/net-sysfs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index eafcbddae408..b997abf5a60c 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>  	if (error)
>  		goto exit;
>  
> +	dev_hold(queue->dev);
> +
>  	if (dev->sysfs_rx_queue_group) {
>  		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
>  		if (error)
> @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>  	}
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
> -	dev_hold(queue->dev);
>  
>  	return error;
>  exit:
> @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>  	if (error)
>  		goto exit;
>  
> +	dev_hold(queue->dev);
> +
>  #ifdef CONFIG_BQL
>  	error = sysfs_create_group(kobj, &dql_group);
>  	if (error)
> @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>  #endif
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
> -	dev_hold(queue->dev);
>  
>  	return 0;
>  exit:
> -- 
> 2.25.1
>
Kleber Souza Aug. 20, 2020, 7:44 a.m. UTC | #2
On 11.08.20 22:35, William Breathitt Gray wrote:
> On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote:
>> In netdev_queue_add_kobject and rx_queue_add_kobject,
>> if sysfs_create_group failed, kobject_put will call
>> netdev_queue_release to decrease dev refcont, however
>> dev_hold has not be called. So we will see this while
>> unregistering dev:
>>
>> unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
>>
>> OriginalAuthor: YueHaibing <yuehaibing@huawei.com>
>> Reported-by: Hulk Robot <hulkci@huawei.com>
>> Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
>> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
>>
>> CVE-2019-20811
>>
>> (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
>> [ William Breathitt Gray: context adjustments ]
>> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> 
> This patch is missing the correct original author From line.
> 
> Nacked-by: William Breathitt Gray <william.gray@canonica.com>

Hi William,

When NAK'ing a patch, please include the "NAK" prefix to the email
subject so it's easier to spot patches that still need attention.

Thanks,
Kleber

> 
>> ---
>>  net/core/net-sysfs.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
>> index eafcbddae408..b997abf5a60c 100644
>> --- a/net/core/net-sysfs.c
>> +++ b/net/core/net-sysfs.c
>> @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>>  	if (error)
>>  		goto exit;
>>  
>> +	dev_hold(queue->dev);
>> +
>>  	if (dev->sysfs_rx_queue_group) {
>>  		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
>>  		if (error)
>> @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>>  	}
>>  
>>  	kobject_uevent(kobj, KOBJ_ADD);
>> -	dev_hold(queue->dev);
>>  
>>  	return error;
>>  exit:
>> @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>>  	if (error)
>>  		goto exit;
>>  
>> +	dev_hold(queue->dev);
>> +
>>  #ifdef CONFIG_BQL
>>  	error = sysfs_create_group(kobj, &dql_group);
>>  	if (error)
>> @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>>  #endif
>>  
>>  	kobject_uevent(kobj, KOBJ_ADD);
>> -	dev_hold(queue->dev);
>>  
>>  	return 0;
>>  exit:
>> -- 
>> 2.25.1
>>
>>
diff mbox series

Patch

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index eafcbddae408..b997abf5a60c 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -895,6 +895,8 @@  static int rx_queue_add_kobject(struct net_device *dev, int index)
 	if (error)
 		goto exit;
 
+	dev_hold(queue->dev);
+
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
 		if (error)
@@ -902,7 +904,6 @@  static int rx_queue_add_kobject(struct net_device *dev, int index)
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return error;
 exit:
@@ -1291,6 +1292,8 @@  static int netdev_queue_add_kobject(struct net_device *dev, int index)
 	if (error)
 		goto exit;
 
+	dev_hold(queue->dev);
+
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
 	if (error)
@@ -1298,7 +1301,6 @@  static int netdev_queue_add_kobject(struct net_device *dev, int index)
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return 0;
 exit: