net: core: netlink: add helper refcount dec and lock function

stable inclusion from linux-4.19.221 commit cd25f1099284a0cbe916344fc1e6c1ffed6c5306 category: bugfix CVE: CVE-2021-39713 -------------------------------- [ Upstream commit 6f99528e ] Rtnl lock is encapsulated in netlink and cannot be accessed by other modules directly. This means that reference counted objects that rely on rtnl lock cannot use it with refcounter helper function that atomically releases decrements reference and obtains mutex. This patch implements simple wrapper function around refcount_dec_and_lock that obtains rtnl lock if reference counter value reached 0. Signed-off-by: N Vlad Buslov <vladbu@mellanox.com> Acked-by: N Jiri Pirko <jiri@mellanox.com> Signed-off-by: N David S. Miller <davem@davemloft.net> [Lee: Sent to Stable] Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568 Reported-by: syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com Signed-off-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

net: core: netlink: add helper refcount dec and lock function
stable inclusion from linux-4.19.221 commit cd25f1099284a0cbe916344fc1e6c1ffed6c5306 category: bugfix CVE: CVE-2021-39713 -------------------------------- [ Upstream commit 6f99528e ] Rtnl lock is encapsulated in netlink and cannot be accessed by other modules directly. This means that reference counted objects that rely on rtnl lock cannot use it with refcounter helper function that atomically releases decrements reference and obtains mutex. This patch implements simple wrapper function around refcount_dec_and_lock that obtains rtnl lock if reference counter value reached 0. Signed-off-by: N Vlad Buslov <vladbu@mellanox.com> Acked-by: N Jiri Pirko <jiri@mellanox.com> Signed-off-by: N David S. Miller <davem@davemloft.net> [Lee: Sent to Stable] Link: https://syzkaller.appspot.com/bug?id=d7e411c5472dd5da33d8cc921ccadc747743a568 Reported-by: syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com Signed-off-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
dd9f1295 · Vlad Buslov · Yongqiang Liu · 5dc64083 · dd9f1295 · dd9f1295
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

include/linux/rtnetlink.h include/linux/rtnetlink.h +2 -0

net/core/rtnetlink.c net/core/rtnetlink.c +6 -0

未找到文件。
--- a/include/linux/rtnetlink.h
+++ b/include/linux/rtnetlink.h
@@ -6,6 +6,7 @@
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/wait.h>
+#include <linux/refcount.h>
 #include <uapi/linux/rtnetlink.h>

 extern int rtnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, u32 group, int echo);
@@ -34,6 +35,7 @@ extern void rtnl_unlock(void);
 extern int rtnl_trylock(void);
 extern int rtnl_is_locked(void);
 extern int rtnl_lock_killable(void);
+extern bool refcount_dec_and_rtnl_lock(refcount_t *r);

 extern wait_queue_head_t netdev_unregistering_wq;
 extern struct rw_semaphore pernet_ops_rwsem;

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -130,6 +130,12 @@ int rtnl_is_locked(void)
 }
 EXPORT_SYMBOL(rtnl_is_locked);

+bool refcount_dec_and_rtnl_lock(refcount_t *r)
+{
+	return refcount_dec_and_mutex_lock(r, &rtnl_mutex);
+}
+EXPORT_SYMBOL(refcount_dec_and_rtnl_lock);
+
 #ifdef CONFIG_PROVE_LOCKING
 bool lockdep_rtnl_is_held(void)
 {