From 51a84831ff9983381a96c33155993d9d22bbd18f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 28 Jan 2020 14:29:16 +0100 Subject: [PATCH] 4.14-stable patches added patches: net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch net-sysfs-fix-netdev_queue_add_kobject-breakage.patch net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch --- ...d-always-in-netdev_queue_add_kobject.patch | 47 ++++++++ ..._hold-always-in-rx_queue_add_kobject.patch | 48 ++++++++ ...ix-netdev_queue_add_kobject-breakage.patch | 31 +++++ ...-leak-in-rx-netdev_queue_add_kobject.patch | 106 ++++++++++++++++++ queue-4.14/series | 4 + 5 files changed, 236 insertions(+) create mode 100644 queue-4.14/net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch create mode 100644 queue-4.14/net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch create mode 100644 queue-4.14/net-sysfs-fix-netdev_queue_add_kobject-breakage.patch create mode 100644 queue-4.14/net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch diff --git a/queue-4.14/net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch b/queue-4.14/net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch new file mode 100644 index 00000000000..45cf1160efd --- /dev/null +++ b/queue-4.14/net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch @@ -0,0 +1,47 @@ +From e0b60903b434a7ee21ba8d8659f207ed84101e89 Mon Sep 17 00:00:00 2001 +From: Jouni Hogander +Date: Thu, 5 Dec 2019 15:57:07 +0200 +Subject: net-sysfs: Call dev_hold always in netdev_queue_add_kobject + +From: Jouni Hogander + +commit e0b60903b434a7ee21ba8d8659f207ed84101e89 upstream. + +Dev_hold has to be called always in netdev_queue_add_kobject. +Otherwise usage count drops below 0 in case of failure in +kobject_init_and_add. + +Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject") +Reported-by: Hulk Robot +Cc: Tetsuo Handa +Cc: David Miller +Cc: Lukas Bulwahn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/net-sysfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1324,14 +1324,17 @@ static int netdev_queue_add_kobject(stru + struct kobject *kobj = &queue->kobj; + int error = 0; + ++ /* Kobject_put later will trigger netdev_queue_release call ++ * which decreases dev refcount: Take that reference here ++ */ ++ dev_hold(queue->dev); ++ + kobj->kset = dev->queues_kset; + error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL, + "tx-%u", index); + if (error) + goto err; + +- dev_hold(queue->dev); +- + #ifdef CONFIG_BQL + error = sysfs_create_group(kobj, &dql_group); + if (error) diff --git a/queue-4.14/net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch b/queue-4.14/net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch new file mode 100644 index 00000000000..18b9b06be5f --- /dev/null +++ b/queue-4.14/net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch @@ -0,0 +1,48 @@ +From ddd9b5e3e765d8ed5a35786a6cb00111713fe161 Mon Sep 17 00:00:00 2001 +From: Jouni Hogander +Date: Tue, 17 Dec 2019 13:46:34 +0200 +Subject: net-sysfs: Call dev_hold always in rx_queue_add_kobject + +From: Jouni Hogander + +commit ddd9b5e3e765d8ed5a35786a6cb00111713fe161 upstream. + +Dev_hold has to be called always in rx_queue_add_kobject. +Otherwise usage count drops below 0 in case of failure in +kobject_init_and_add. + +Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject") +Reported-by: syzbot +Cc: Tetsuo Handa +Cc: David Miller +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/net-sysfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -911,14 +911,17 @@ static int rx_queue_add_kobject(struct n + struct kobject *kobj = &queue->kobj; + int error = 0; + ++ /* Kobject_put later will trigger rx_queue_release call which ++ * decreases dev refcount: Take that reference here ++ */ ++ dev_hold(queue->dev); ++ + kobj->kset = dev->queues_kset; + error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL, + "rx-%u", index); + if (error) + goto err; + +- dev_hold(queue->dev); +- + if (dev->sysfs_rx_queue_group) { + error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); + if (error) diff --git a/queue-4.14/net-sysfs-fix-netdev_queue_add_kobject-breakage.patch b/queue-4.14/net-sysfs-fix-netdev_queue_add_kobject-breakage.patch new file mode 100644 index 00000000000..f315fbe5b2c --- /dev/null +++ b/queue-4.14/net-sysfs-fix-netdev_queue_add_kobject-breakage.patch @@ -0,0 +1,31 @@ +From 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 20 Nov 2019 19:19:07 -0800 +Subject: net-sysfs: fix netdev_queue_add_kobject() breakage + +From: Eric Dumazet + +commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 upstream. + +kobject_put() should only be called in error path. + +Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject") +Signed-off-by: Eric Dumazet +Cc: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/net-sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1339,6 +1339,7 @@ static int netdev_queue_add_kobject(stru + #endif + + kobject_uevent(kobj, KOBJ_ADD); ++ return 0; + + err: + kobject_put(kobj); diff --git a/queue-4.14/net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch b/queue-4.14/net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch new file mode 100644 index 00000000000..5934d89d0f1 --- /dev/null +++ b/queue-4.14/net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch @@ -0,0 +1,106 @@ +From b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b Mon Sep 17 00:00:00 2001 +From: Jouni Hogander +Date: Wed, 20 Nov 2019 09:08:16 +0200 +Subject: net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject + +From: Jouni Hogander + +commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream. + +kobject_init_and_add takes reference even when it fails. This has +to be given up by the caller in error handling. Otherwise memory +allocated by kobject_init_and_add is never freed. Originally found +by Syzkaller: + +BUG: memory leak +unreferenced object 0xffff8880679f8b08 (size 8): + comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s) + hex dump (first 8 bytes): + 72 78 2d 30 00 36 20 d4 rx-0.6 . + backtrace: + [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290 + [<000000001f2e4e49>] kvasprintf+0xb1/0x140 + [<000000007f313394>] kvasprintf_const+0x56/0x160 + [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140 + [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170 + [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560 + [<000000006be5f104>] netdev_register_kobject+0x210/0x380 + [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00 + [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0 + [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40 + [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510 + [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0 + [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0 + [<0000000038d946e5>] do_syscall_64+0x16f/0x580 + [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [<00000000285b3d1a>] 0xffffffffffffffff + +Cc: David Miller +Cc: Lukas Bulwahn +Signed-off-by: Jouni Hogander +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/net-sysfs.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -915,21 +915,23 @@ static int rx_queue_add_kobject(struct n + error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL, + "rx-%u", index); + if (error) +- return error; ++ goto err; + + dev_hold(queue->dev); + + if (dev->sysfs_rx_queue_group) { + error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group); +- if (error) { +- kobject_put(kobj); +- return error; +- } ++ if (error) ++ goto err; + } + + kobject_uevent(kobj, KOBJ_ADD); + + return error; ++ ++err: ++ kobject_put(kobj); ++ return error; + } + #endif /* CONFIG_SYSFS */ + +@@ -1326,21 +1328,21 @@ static int netdev_queue_add_kobject(stru + error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL, + "tx-%u", index); + if (error) +- return error; ++ goto err; + + dev_hold(queue->dev); + + #ifdef CONFIG_BQL + error = sysfs_create_group(kobj, &dql_group); +- if (error) { +- kobject_put(kobj); +- return error; +- } ++ if (error) ++ goto err; + #endif + + kobject_uevent(kobj, KOBJ_ADD); + +- return 0; ++err: ++ kobject_put(kobj); ++ return error; + } + #endif /* CONFIG_SYSFS */ + diff --git a/queue-4.14/series b/queue-4.14/series index f51874e9868..8f0eba1b98c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -6,6 +6,10 @@ net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch net-ip6_tunnel-fix-namespaces-move.patch net-ip_tunnel-fix-namespaces-move.patch net_sched-fix-datalen-for-ematch.patch +net-sysfs-fix-reference-count-leak-in-rx-netdev_queue_add_kobject.patch +net-sysfs-fix-netdev_queue_add_kobject-breakage.patch +net-sysfs-call-dev_hold-always-in-netdev_queue_add_kobject.patch +net-sysfs-call-dev_hold-always-in-rx_queue_add_kobject.patch net-sysfs-fix-reference-count-leak.patch net-usb-lan78xx-add-.ndo_features_check.patch tcp_bbr-improve-arithmetic-division-in-bbr_update_bw.patch -- 2.47.3