--- /dev/null
+From e0b60903b434a7ee21ba8d8659f207ed84101e89 Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Thu, 5 Dec 2019 15:57:07 +0200
+Subject: net-sysfs: Call dev_hold always in netdev_queue_add_kobject
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit e0b60903b434a7ee21ba8d8659f207ed84101e89 upstream.
+
+Dev_hold has to be called always in netdev_queue_add_kobject.
+Otherwise usage count drops below 0 in case of failure in
+kobject_init_and_add.
+
+Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: David Miller <davem@davemloft.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/net-sysfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1324,14 +1324,17 @@ static int netdev_queue_add_kobject(stru
+ struct kobject *kobj = &queue->kobj;
+ int error = 0;
+
++ /* Kobject_put later will trigger netdev_queue_release call
++ * which decreases dev refcount: Take that reference here
++ */
++ dev_hold(queue->dev);
++
+ kobj->kset = dev->queues_kset;
+ error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
+ "tx-%u", index);
+ if (error)
+ goto err;
+
+- dev_hold(queue->dev);
+-
+ #ifdef CONFIG_BQL
+ error = sysfs_create_group(kobj, &dql_group);
+ if (error)
--- /dev/null
+From ddd9b5e3e765d8ed5a35786a6cb00111713fe161 Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Tue, 17 Dec 2019 13:46:34 +0200
+Subject: net-sysfs: Call dev_hold always in rx_queue_add_kobject
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit ddd9b5e3e765d8ed5a35786a6cb00111713fe161 upstream.
+
+Dev_hold has to be called always in rx_queue_add_kobject.
+Otherwise usage count drops below 0 in case of failure in
+kobject_init_and_add.
+
+Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
+Reported-by: syzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: David Miller <davem@davemloft.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/net-sysfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -911,14 +911,17 @@ static int rx_queue_add_kobject(struct n
+ struct kobject *kobj = &queue->kobj;
+ int error = 0;
+
++ /* Kobject_put later will trigger rx_queue_release call which
++ * decreases dev refcount: Take that reference here
++ */
++ dev_hold(queue->dev);
++
+ kobj->kset = dev->queues_kset;
+ error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
+ "rx-%u", index);
+ if (error)
+ goto err;
+
+- dev_hold(queue->dev);
+-
+ if (dev->sysfs_rx_queue_group) {
+ error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
+ if (error)
--- /dev/null
+From 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 20 Nov 2019 19:19:07 -0800
+Subject: net-sysfs: fix netdev_queue_add_kobject() breakage
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 upstream.
+
+kobject_put() should only be called in error path.
+
+Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/net-sysfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1339,6 +1339,7 @@ static int netdev_queue_add_kobject(stru
+ #endif
+
+ kobject_uevent(kobj, KOBJ_ADD);
++ return 0;
+
+ err:
+ kobject_put(kobj);
--- /dev/null
+From b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b Mon Sep 17 00:00:00 2001
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 20 Nov 2019 09:08:16 +0200
+Subject: net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.
+
+kobject_init_and_add takes reference even when it fails. This has
+to be given up by the caller in error handling. Otherwise memory
+allocated by kobject_init_and_add is never freed. Originally found
+by Syzkaller:
+
+BUG: memory leak
+unreferenced object 0xffff8880679f8b08 (size 8):
+ comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
+ hex dump (first 8 bytes):
+ 72 78 2d 30 00 36 20 d4 rx-0.6 .
+ backtrace:
+ [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
+ [<000000001f2e4e49>] kvasprintf+0xb1/0x140
+ [<000000007f313394>] kvasprintf_const+0x56/0x160
+ [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
+ [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
+ [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
+ [<000000006be5f104>] netdev_register_kobject+0x210/0x380
+ [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
+ [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
+ [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
+ [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
+ [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
+ [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
+ [<0000000038d946e5>] do_syscall_64+0x16f/0x580
+ [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [<00000000285b3d1a>] 0xffffffffffffffff
+
+Cc: David Miller <davem@davemloft.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/net-sysfs.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -915,21 +915,23 @@ static int rx_queue_add_kobject(struct n
+ error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
+ "rx-%u", index);
+ if (error)
+- return error;
++ goto err;
+
+ dev_hold(queue->dev);
+
+ if (dev->sysfs_rx_queue_group) {
+ error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
+- if (error) {
+- kobject_put(kobj);
+- return error;
+- }
++ if (error)
++ goto err;
+ }
+
+ kobject_uevent(kobj, KOBJ_ADD);
+
+ return error;
++
++err:
++ kobject_put(kobj);
++ return error;
+ }
+ #endif /* CONFIG_SYSFS */
+
+@@ -1326,21 +1328,21 @@ static int netdev_queue_add_kobject(stru
+ error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
+ "tx-%u", index);
+ if (error)
+- return error;
++ goto err;
+
+ dev_hold(queue->dev);
+
+ #ifdef CONFIG_BQL
+ error = sysfs_create_group(kobj, &dql_group);
+- if (error) {
+- kobject_put(kobj);
+- return error;
+- }
++ if (error)
++ goto err;
+ #endif
+
+ kobject_uevent(kobj, KOBJ_ADD);
+
+- return 0;
++err:
++ kobject_put(kobj);
++ return error;
+ }
+ #endif /* CONFIG_SYSFS */
+
net-ip6_tunnel-fix-namespaces-move.patch
net-ip_tunnel-fix-namespaces-move.patch
net_sched-fix-datalen-for-ematch.patch
+net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch
+net-sysfs-fix-netdev_queue_add_kobject-breakage.patch
+net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch
+net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch
net-sysfs-fix-reference-count-leak.patch
net-usb-lan78xx-add-.ndo_features_check.patch
tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
