Message ID | 20200811200714.39806-1-william.gray@canonical.com |
---|---|
State | New |
Headers | show |
Series | [Xenial,CVE-2019-20811] net-sysfs: call dev_hold if kobject_init_and_add success | expand |
On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote: > In netdev_queue_add_kobject and rx_queue_add_kobject, > if sysfs_create_group failed, kobject_put will call > netdev_queue_release to decrease dev refcont, however > dev_hold has not be called. So we will see this while > unregistering dev: > > unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 > > OriginalAuthor: YueHaibing <yuehaibing@huawei.com> > Reported-by: Hulk Robot <hulkci@huawei.com> > Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") > Signed-off-by: YueHaibing <yuehaibing@huawei.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > CVE-2019-20811 > > (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e) > [ William Breathitt Gray: context adjustments ] > Signed-off-by: William Breathitt Gray <william.gray@canonical.com> This patch is missing the correct original author From line. Nacked-by: William Breathitt Gray <william.gray@canonica.com> > --- > net/core/net-sysfs.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c > index eafcbddae408..b997abf5a60c 100644 > --- a/net/core/net-sysfs.c > +++ b/net/core/net-sysfs.c > @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > if (dev->sysfs_rx_queue_group) { > error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); > if (error) > @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) > } > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return error; > exit: > @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > if (error) > goto exit; > > + dev_hold(queue->dev); > + > #ifdef CONFIG_BQL > error = sysfs_create_group(kobj, &dql_group); > if (error) > @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) > #endif > > kobject_uevent(kobj, KOBJ_ADD); > - dev_hold(queue->dev); > > return 0; > exit: > -- > 2.25.1 >
On 11.08.20 22:35, William Breathitt Gray wrote: > On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote: >> In netdev_queue_add_kobject and rx_queue_add_kobject, >> if sysfs_create_group failed, kobject_put will call >> netdev_queue_release to decrease dev refcont, however >> dev_hold has not be called. So we will see this while >> unregistering dev: >> >> unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1 >> >> OriginalAuthor: YueHaibing <yuehaibing@huawei.com> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure") >> Signed-off-by: YueHaibing <yuehaibing@huawei.com> >> Signed-off-by: David S. Miller <davem@davemloft.net> >> >> CVE-2019-20811 >> >> (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e) >> [ William Breathitt Gray: context adjustments ] >> Signed-off-by: William Breathitt Gray <william.gray@canonical.com> > > This patch is missing the correct original author From line. > > Nacked-by: William Breathitt Gray <william.gray@canonica.com> Hi William, When NAK'ing a patch, please include the "NAK" prefix to the email subject so it's easier to spot patches that still need attention. Thanks, Kleber > >> --- >> net/core/net-sysfs.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c >> index eafcbddae408..b997abf5a60c 100644 >> --- a/net/core/net-sysfs.c >> +++ b/net/core/net-sysfs.c >> @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) >> if (error) >> goto exit; >> >> + dev_hold(queue->dev); >> + >> if (dev->sysfs_rx_queue_group) { >> error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); >> if (error) >> @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) >> } >> >> kobject_uevent(kobj, KOBJ_ADD); >> - dev_hold(queue->dev); >> >> return error; >> exit: >> @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) >> if (error) >> goto exit; >> >> + dev_hold(queue->dev); >> + >> #ifdef CONFIG_BQL >> error = sysfs_create_group(kobj, &dql_group); >> if (error) >> @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) >> #endif >> >> kobject_uevent(kobj, KOBJ_ADD); >> - dev_hold(queue->dev); >> >> return 0; >> exit: >> -- >> 2.25.1 >> >>
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index eafcbddae408..b997abf5a60c 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) if (error) goto exit; + dev_hold(queue->dev); + if (dev->sysfs_rx_queue_group) { error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); if (error) @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index) } kobject_uevent(kobj, KOBJ_ADD); - dev_hold(queue->dev); return error; exit: @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) if (error) goto exit; + dev_hold(queue->dev); + #ifdef CONFIG_BQL error = sysfs_create_group(kobj, &dql_group); if (error) @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index) #endif kobject_uevent(kobj, KOBJ_ADD); - dev_hold(queue->dev); return 0; exit: