| Message ID | 20190329111946.19061-1-jslaby@suse.cz |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | kcm: switch order of device registration to fix a crash | expand |
From: Jiri Slaby <jslaby@suse.cz> Date: Fri, 29 Mar 2019 12:19:46 +0100 > When kcm is loaded while many processes try to create a KCM socket, a > crash occurs: > BUG: unable to handle kernel NULL pointer dereference at 000000000000000e > IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 > PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0 > Oops: 0002 [#1] SMP KASAN PTI > CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased) > RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 > RSP: 0018:ffff88000d487a00 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719 > ... > CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0 > Call Trace: > kcm_create+0x600/0xbf0 [kcm] > __sock_create+0x324/0x750 net/socket.c:1272 > ... > > This is due to race between sock_create and unfinished > register_pernet_device. kcm_create tries to do "net_generic(net, > kcm_net_id)". but kcm_net_id is not initialized yet. > > So switch the order of the two to close the race. > > This can be reproduced with mutiple processes doing socket(PF_KCM, ...) > and one process doing module removal. > > Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") > Reviewed-by: Michal Kubecek <mkubecek@suse.cz> > Signed-off-by: Jiri Slaby <jslaby@suse.cz> Applied and queued up for -stable, thanks.
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c index c5c5ab6c5a1c..44fdc641710d 100644 --- a/net/kcm/kcmsock.c +++ b/net/kcm/kcmsock.c @@ -2054,14 +2054,14 @@ static int __init kcm_init(void) if (err) goto fail; - err = sock_register(&kcm_family_ops); - if (err) - goto sock_register_fail; - err = register_pernet_device(&kcm_net_ops); if (err) goto net_ops_fail; + err = sock_register(&kcm_family_ops); + if (err) + goto sock_register_fail; + err = kcm_proc_init(); if (err) goto proc_init_fail; @@ -2069,12 +2069,12 @@ static int __init kcm_init(void) return 0; proc_init_fail: - unregister_pernet_device(&kcm_net_ops); - -net_ops_fail: sock_unregister(PF_KCM); sock_register_fail: + unregister_pernet_device(&kcm_net_ops); + +net_ops_fail: proto_unregister(&kcm_proto); fail: @@ -2090,8 +2090,8 @@ static int __init kcm_init(void) static void __exit kcm_exit(void) { kcm_proc_exit(); - unregister_pernet_device(&kcm_net_ops); sock_unregister(PF_KCM); + unregister_pernet_device(&kcm_net_ops); proto_unregister(&kcm_proto); destroy_workqueue(kcm_wq);
When kcm is loaded while many processes try to create a KCM socket, a crash occurs: BUG: unable to handle kernel NULL pointer dereference at 000000000000000e IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0 Oops: 0002 [#1] SMP KASAN PTI CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased) RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240 RSP: 0018:ffff88000d487a00 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719 ... CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0 Call Trace: kcm_create+0x600/0xbf0 [kcm] __sock_create+0x324/0x750 net/socket.c:1272 ... This is due to race between sock_create and unfinished register_pernet_device. kcm_create tries to do "net_generic(net, kcm_net_id)". but kcm_net_id is not initialized yet. So switch the order of the two to close the race. This can be reproduced with mutiple processes doing socket(PF_KCM, ...) and one process doing module removal. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Reviewed-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- net/kcm/kcmsock.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)