Commit 3c446e6f authored by Jiri Slaby's avatar Jiri Slaby Committed by David S. Miller

kcm: switch order of device registration to fix a crash

When kcm is loaded while many processes try to create a KCM socket, a
crash occurs:
 BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
 IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
 PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
 Oops: 0002 [#1] SMP KASAN PTI
 CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
 RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
 RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
 ...
 CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
 Call Trace:
  kcm_create+0x600/0xbf0 [kcm]
  __sock_create+0x324/0x750 net/socket.c:1272
 ...

This is due to race between sock_create and unfinished
register_pernet_device. kcm_create tries to do "net_generic(net,
kcm_net_id)". but kcm_net_id is not initialized yet.

So switch the order of the two to close the race.

This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
and one process doing module removal.

Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c4df1bdd
...@@ -2054,14 +2054,14 @@ static int __init kcm_init(void) ...@@ -2054,14 +2054,14 @@ static int __init kcm_init(void)
if (err) if (err)
goto fail; goto fail;
err = sock_register(&kcm_family_ops);
if (err)
goto sock_register_fail;
err = register_pernet_device(&kcm_net_ops); err = register_pernet_device(&kcm_net_ops);
if (err) if (err)
goto net_ops_fail; goto net_ops_fail;
err = sock_register(&kcm_family_ops);
if (err)
goto sock_register_fail;
err = kcm_proc_init(); err = kcm_proc_init();
if (err) if (err)
goto proc_init_fail; goto proc_init_fail;
...@@ -2069,12 +2069,12 @@ static int __init kcm_init(void) ...@@ -2069,12 +2069,12 @@ static int __init kcm_init(void)
return 0; return 0;
proc_init_fail: proc_init_fail:
unregister_pernet_device(&kcm_net_ops);
net_ops_fail:
sock_unregister(PF_KCM); sock_unregister(PF_KCM);
sock_register_fail: sock_register_fail:
unregister_pernet_device(&kcm_net_ops);
net_ops_fail:
proto_unregister(&kcm_proto); proto_unregister(&kcm_proto);
fail: fail:
...@@ -2090,8 +2090,8 @@ static int __init kcm_init(void) ...@@ -2090,8 +2090,8 @@ static int __init kcm_init(void)
static void __exit kcm_exit(void) static void __exit kcm_exit(void)
{ {
kcm_proc_exit(); kcm_proc_exit();
unregister_pernet_device(&kcm_net_ops);
sock_unregister(PF_KCM); sock_unregister(PF_KCM);
unregister_pernet_device(&kcm_net_ops);
proto_unregister(&kcm_proto); proto_unregister(&kcm_proto);
destroy_workqueue(kcm_wq); destroy_workqueue(kcm_wq);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment