From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 7 Mar 2018 17:48:16 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v4.14.25~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ccaf764a867f776713e4ca4d87e901ab7ce6d099;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	netlink-put-module-reference-if-dump-start-fails.patch
---

diff --git a/queue-4.9/netlink-put-module-reference-if-dump-start-fails.patch b/queue-4.9/netlink-put-module-reference-if-dump-start-fails.patch
new file mode 100644
index 00000000000..ae2f221f9ac
--- /dev/null
+++ b/queue-4.9/netlink-put-module-reference-if-dump-start-fails.patch
@@ -0,0 +1,48 @@
+From b87b6194be631c94785fe93398651e804ed43e28 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 21 Feb 2018 04:41:59 +0100
+Subject: netlink: put module reference if dump start fails
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit b87b6194be631c94785fe93398651e804ed43e28 upstream.
+
+Before, if cb->start() failed, the module reference would never be put,
+because cb->cb_running is intentionally false at this point. Users are
+generally annoyed by this because they can no longer unload modules that
+leak references. Also, it may be possible to tediously wrap a reference
+counter back to zero, especially since module.c still uses atomic_inc
+instead of refcount_inc.
+
+This patch expands the error path to simply call module_put if
+cb->start() fails.
+
+Fixes: 41c87425a1ac ("netlink: do not set cb_running if dump's start() errs")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2258,7 +2258,7 @@ int __netlink_dump_start(struct sock *ss
+ 	if (cb->start) {
+ 		ret = cb->start(cb);
+ 		if (ret)
+-			goto error_unlock;
++			goto error_put;
+ 	}
+ 
+ 	nlk->cb_running = true;
+@@ -2278,6 +2278,8 @@ int __netlink_dump_start(struct sock *ss
+ 	 */
+ 	return -EINTR;
+ 
++error_put:
++	module_put(control->module);
+ error_unlock:
+ 	sock_put(sk);
+ 	mutex_unlock(nlk->cb_mutex);
diff --git a/queue-4.9/series b/queue-4.9/series
index 585230a391f..26af0750b6e 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -28,3 +28,4 @@ arm-dts-logicpd-torpedo-fix-i2c1-pinmux.patch
 x86-mm-give-each-mm-tlb-flush-generation-a-unique-id.patch
 x86-speculation-use-indirect-branch-prediction-barrier-in-context-switch.patch
 md-only-allow-remove_and_add_spares-when-no-sync_thread-running.patch
+netlink-put-module-reference-if-dump-start-fails.patch