From: Eric Dumazet <edumazet@google.com>

Date: Tue, 22 Mar 2022 17:41:47 -0700

Subject: llc: fix netdevice reference leaks in llc_ui_bind()

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Patch-mainline: v5.18-rc1

Git-commit: 764f4eb6846f5475f1244767d24d25dd86528a4a

References: CVE-2022-28356 bsc#1197391

Whenever llc_ui_bind() and/or llc_ui_autobind()

took a reference on a netdevice but subsequently fail,

they must properly release their reference

or risk the infamous message from unregister_netdevice()

at device dismantle.

unregister_netdevice: waiting for eth0 to become free. Usage count = 3

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Eric Dumazet <edumazet@google.com>

Reported-by: 赵子轩 <beraphin@gmail.com>

Reported-by: Stoyan Manolov <smanolov@suse.de>

Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Acked-by: Michal Kubecek <mkubecek@suse.cz>

SLE/openSUSE: use dev_put() rather than dev_put_track() which was only

introduced in mainline 5.17-rc1.

---

 net/llc/af_llc.c | 8 ++++++++

 1 file changed, 8 insertions(+)

--- a/net/llc/af_llc.c

+++ b/net/llc/af_llc.c

@@ -299,6 +299,10 @@ static int llc_ui_autobind(struct socket *sock, struct sockaddr_llc *addr)

 	sock_reset_flag(sk, SOCK_ZAPPED);

 	rc = 0;

 out:

+	if (rc) {

+		dev_put(llc->dev);

+		llc->dev = NULL;

+	}

 	return rc;

 }

@@ -398,6 +402,10 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)

 out_put:

 	llc_sap_put(sap);

 out:

+	if (rc) {

+		dev_put(llc->dev);

+		llc->dev = NULL;

+	}

 	release_sock(sk);

 	return rc;

 }