[Xenial] [CVE-2019-20811] [PATCH] net-sysfs: call dev_hold if kobject_init_and_add success
William Breathitt Gray
william.gray at canonical.com
Tue Aug 11 20:35:08 UTC 2020
On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote:
> In netdev_queue_add_kobject and rx_queue_add_kobject,
> if sysfs_create_group failed, kobject_put will call
> netdev_queue_release to decrease dev refcont, however
> dev_hold has not be called. So we will see this while
> unregistering dev:
>
> unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
>
> OriginalAuthor: YueHaibing <yuehaibing at huawei.com>
> Reported-by: Hulk Robot <hulkci at huawei.com>
> Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
> Signed-off-by: YueHaibing <yuehaibing at huawei.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> CVE-2019-20811
>
> (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
> [ William Breathitt Gray: context adjustments ]
> Signed-off-by: William Breathitt Gray <william.gray at canonical.com>
This patch is missing the correct original author From line.
Nacked-by: William Breathitt Gray <william.gray at canonica.com>
> ---
> net/core/net-sysfs.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index eafcbddae408..b997abf5a60c 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
> if (error)
> goto exit;
>
> + dev_hold(queue->dev);
> +
> if (dev->sysfs_rx_queue_group) {
> error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
> if (error)
> @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
> }
>
> kobject_uevent(kobj, KOBJ_ADD);
> - dev_hold(queue->dev);
>
> return error;
> exit:
> @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
> if (error)
> goto exit;
>
> + dev_hold(queue->dev);
> +
> #ifdef CONFIG_BQL
> error = sysfs_create_group(kobj, &dql_group);
> if (error)
> @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
> #endif
>
> kobject_uevent(kobj, KOBJ_ADD);
> - dev_hold(queue->dev);
>
> return 0;
> exit:
> --
> 2.25.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200811/2415d972/attachment.sig>
More information about the kernel-team
mailing list