Skip to content

Commit 3c446e6

Browse files
Jiri Slabydavem330
Jiri Slaby
authored and
davem330
committed
kcm: switch order of device registration to fix a crash
When kcm is loaded while many processes try to create a KCM socket, a crash occurs: BUG: unable to handle kernel NULL pointer dereference at 000000000000000e IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0 Oops: 0002 [#1] SMP KASAN PTI CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased) RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 RSP: 0018:ffff88000d487a00 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719 ... CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0 Call Trace: kcm_create+0x600/0xbf0 [kcm] __sock_create+0x324/0x750 net/socket.c:1272 ... This is due to race between sock_create and unfinished register_pernet_device. kcm_create tries to do "net_generic(net, kcm_net_id)". but kcm_net_id is not initialized yet. So switch the order of the two to close the race. This can be reproduced with mutiple processes doing socket(PF_KCM, ...) and one process doing module removal. Fixes: ab7ac4e ("kcm: Kernel Connection Multiplexor module") Reviewed-by: Michal Kubecek <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent c4df1bd commit 3c446e6

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

net/kcm/kcmsock.c

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2054,27 +2054,27 @@ static int __init kcm_init(void)
20542054
if (err)
20552055
goto fail;
20562056

2057-
err = sock_register(&kcm_family_ops);
2058-
if (err)
2059-
goto sock_register_fail;
2060-
20612057
err = register_pernet_device(&kcm_net_ops);
20622058
if (err)
20632059
goto net_ops_fail;
20642060

2061+
err = sock_register(&kcm_family_ops);
2062+
if (err)
2063+
goto sock_register_fail;
2064+
20652065
err = kcm_proc_init();
20662066
if (err)
20672067
goto proc_init_fail;
20682068

20692069
return 0;
20702070

20712071
proc_init_fail:
2072-
unregister_pernet_device(&kcm_net_ops);
2073-
2074-
net_ops_fail:
20752072
sock_unregister(PF_KCM);
20762073

20772074
sock_register_fail:
2075+
unregister_pernet_device(&kcm_net_ops);
2076+
2077+
net_ops_fail:
20782078
proto_unregister(&kcm_proto);
20792079

20802080
fail:
@@ -2090,8 +2090,8 @@ static int __init kcm_init(void)
20902090
static void __exit kcm_exit(void)
20912091
{
20922092
kcm_proc_exit();
2093-
unregister_pernet_device(&kcm_net_ops);
20942093
sock_unregister(PF_KCM);
2094+
unregister_pernet_device(&kcm_net_ops);
20952095
proto_unregister(&kcm_proto);
20962096
destroy_workqueue(kcm_wq);
20972097

0 commit comments

Comments
 (0)