• Jiri Slaby's avatar
    kcm: switch order of device registration to fix a crash · b09d697a
    Jiri Slaby authored
    [ Upstream commit 3c446e6f ]
    
    When kcm is loaded while many processes try to create a KCM socket, a
    crash occurs:
     BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
     IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
     PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
     Oops: 0002 [#1] SMP KASAN PTI
     CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
     RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
     RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
     RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
     ...
     CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
     Call Trace:
      kcm_create+0x600/0xbf0 [kcm]
      __sock_create+0x324/0x750 net/socket.c:1272
     ...
    
    This is due to race between sock_create and unfinished
    register_pernet_device. kcm_create tries to do "net_generic(net,
    kcm_net_id)". but kcm_net_id is not initialized yet.
    
    So switch the order of the two to close the race.
    
    This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
    and one process doing module removal.
    
    Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
    Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b09d697a
kcmsock.c 45.2 KB