Merge 5f7f6abd92 ("net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.") into android16-6.12-lts

Steps on the way to 6.12.24 Resolves merge conflicts in: include/net/sock.h Change-Id: Iad709683ab2604d124bedc3902f48588b28253bb Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2025-05-09 12:03:28 +00:00
parent fbffc72bf0 5f7f6abd92
commit 7e9686596c
2 changed files with 43 additions and 2 deletions
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -339,6 +339,8 @@ struct sk_filter;
  *	@sk_txtime_unused: unused txtime flags
  *	@ns_tracker: tracker for netns reference
  *	@sk_user_frags: xarray of pages the user is holding a reference on.
+  *	@sk_owner: reference to the real owner of the socket that calls
+  *		   sock_lock_init_class_and_name().
  */
 struct sock {
 	/*
@@ -546,6 +548,10 @@ struct sock {
 	netns_tracker		ns_tracker;
 	struct xarray		sk_user_frags;

+#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
+	struct module		*sk_owner;
+#endif
+
 	ANDROID_OEM_DATA(1);
 };

@@ -1588,6 +1594,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size)
 	sk_mem_reclaim(sk);
 }

+#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
+static inline void sk_owner_set(struct sock *sk, struct module *owner)
+{
+	__module_get(owner);
+	sk->sk_owner = owner;
+}
+
+static inline void sk_owner_clear(struct sock *sk)
+{
+	sk->sk_owner = NULL;
+}
+
+static inline void sk_owner_put(struct sock *sk)
+{
+	module_put(sk->sk_owner);
+}
+#else
+static inline void sk_owner_set(struct sock *sk, struct module *owner)
+{
+}
+
+static inline void sk_owner_clear(struct sock *sk)
+{
+}
+
+static inline void sk_owner_put(struct sock *sk)
+{
+}
+#endif
 /*
 * Macro so as to not evaluate some arguments when
 * lockdep is not enabled.
@@ -1597,13 +1632,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size)
 */
 #define sock_lock_init_class_and_name(sk, sname, skey, name, key)	\
 do {									\
+	sk_owner_set(sk, THIS_MODULE);					\
 	sk->sk_lock.owned = 0;						\
 	init_waitqueue_head(&sk->sk_lock.wq);				\
 	spin_lock_init(&(sk)->sk_lock.slock);				\
 	debug_check_no_locks_freed((void *)&(sk)->sk_lock,		\
-			sizeof((sk)->sk_lock));				\
+				   sizeof((sk)->sk_lock));		\
 	lockdep_set_class_and_name(&(sk)->sk_lock.slock,		\
-				(skey), (sname));				\
+				   (skey), (sname));			\
 	lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0);	\
 } while (0)

--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2109,6 +2109,8 @@ lenout:
 */
 static inline void sock_lock_init(struct sock *sk)
 {
+	sk_owner_clear(sk);
+
 	if (sk->sk_kern_sock)
 		sock_lock_init_class_and_name(
 			sk,
@@ -2206,6 +2208,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
 	mem_cgroup_sk_free(sk);
 	trace_android_vh_sk_free(sk);
 	security_sk_free(sk);
+
+	sk_owner_put(sk);
+
 	if (slab != NULL)
 		kmem_cache_free(slab, sk);
 	else