[Xenial] [CVE-2019-20811] [PATCH] net-sysfs: call dev_hold if kobject_init_and_add success

Tue Aug 11 20:07:14 UTC 2020

In netdev_queue_add_kobject and rx_queue_add_kobject,
if sysfs_create_group failed, kobject_put will call
netdev_queue_release to decrease dev refcont, however
dev_hold has not be called. So we will see this while
unregistering dev:

unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1

OriginalAuthor: YueHaibing <yuehaibing at huawei.com>
Reported-by: Hulk Robot <hulkci at huawei.com>
Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
Signed-off-by: YueHaibing <yuehaibing at huawei.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

CVE-2019-20811

(backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
[ William Breathitt Gray: context adjustments ]
Signed-off-by: William Breathitt Gray <william.gray at canonical.com>
---
 net/core/net-sysfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index eafcbddae408..b997abf5a60c 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
 	if (error)
 		goto exit;
 
+	dev_hold(queue->dev);
+
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
 		if (error)
@@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return error;
 exit:
@@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
 	if (error)
 		goto exit;
 
+	dev_hold(queue->dev);
+
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
 	if (error)
@@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
-	dev_hold(queue->dev);
 
 	return 0;
 exit:
-- 
2.25.1


