[Xenial] [CVE-2019-20811] [PATCH] net-sysfs: call dev_hold if kobject_init_and_add success

William Breathitt Gray william.gray at canonical.com
Tue Aug 11 20:35:08 UTC 2020 

On Tue, Aug 11, 2020 at 04:07:14PM -0400, William Breathitt Gray wrote:
> In netdev_queue_add_kobject and rx_queue_add_kobject,
> if sysfs_create_group failed, kobject_put will call
> netdev_queue_release to decrease dev refcont, however
> dev_hold has not be called. So we will see this while
> unregistering dev:
> 
> unregister_netdevice: waiting for bcsh0 to become free. Usage count = -1
> 
> OriginalAuthor: YueHaibing <yuehaibing at huawei.com>
> Reported-by: Hulk Robot <hulkci at huawei.com>
> Fixes: d0d668371679 ("net: don't decrement kobj reference count on init failure")
> Signed-off-by: YueHaibing <yuehaibing at huawei.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> 
> CVE-2019-20811
> 
> (backported from commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e)
> [ William Breathitt Gray: context adjustments ]
> Signed-off-by: William Breathitt Gray <william.gray at canonical.com>

This patch is missing the correct original author From line.

Nacked-by: William Breathitt Gray <william.gray at canonica.com>

> ---
>  net/core/net-sysfs.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
> index eafcbddae408..b997abf5a60c 100644
> --- a/net/core/net-sysfs.c
> +++ b/net/core/net-sysfs.c
> @@ -895,6 +895,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>  	if (error)
>  		goto exit;
>  
> +	dev_hold(queue->dev);
> +
>  	if (dev->sysfs_rx_queue_group) {
>  		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
>  		if (error)
> @@ -902,7 +904,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
>  	}
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
> -	dev_hold(queue->dev);
>  
>  	return error;
>  exit:
> @@ -1291,6 +1292,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>  	if (error)
>  		goto exit;
>  
> +	dev_hold(queue->dev);
> +
>  #ifdef CONFIG_BQL
>  	error = sysfs_create_group(kobj, &dql_group);
>  	if (error)
> @@ -1298,7 +1301,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
>  #endif
>  
>  	kobject_uevent(kobj, KOBJ_ADD);
> -	dev_hold(queue->dev);
>  
>  	return 0;
>  exit:
> -- 
> 2.25.1
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200811/2415d972/attachment.sig>

More information about the kernel-team mailing list