* [PATCH] kcm: switch order of device registration to fix a crash
@ 2019-03-29 11:19 Jiri Slaby
2019-04-01 21:59 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Jiri Slaby @ 2019-03-29 11:19 UTC (permalink / raw)
To: davem; +Cc: netdev, linux-kernel, Jiri Slaby, Michal Kubecek
When kcm is loaded while many processes try to create a KCM socket, a
crash occurs:
BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
Oops: 0002 [#1] SMP KASAN PTI
CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
...
CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
Call Trace:
kcm_create+0x600/0xbf0 [kcm]
__sock_create+0x324/0x750 net/socket.c:1272
...
This is due to race between sock_create and unfinished
register_pernet_device. kcm_create tries to do "net_generic(net,
kcm_net_id)". but kcm_net_id is not initialized yet.
So switch the order of the two to close the race.
This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
and one process doing module removal.
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/kcm/kcmsock.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index c5c5ab6c5a1c..44fdc641710d 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -2054,14 +2054,14 @@ static int __init kcm_init(void)
if (err)
goto fail;
- err = sock_register(&kcm_family_ops);
- if (err)
- goto sock_register_fail;
-
err = register_pernet_device(&kcm_net_ops);
if (err)
goto net_ops_fail;
+ err = sock_register(&kcm_family_ops);
+ if (err)
+ goto sock_register_fail;
+
err = kcm_proc_init();
if (err)
goto proc_init_fail;
@@ -2069,12 +2069,12 @@ static int __init kcm_init(void)
return 0;
proc_init_fail:
- unregister_pernet_device(&kcm_net_ops);
-
-net_ops_fail:
sock_unregister(PF_KCM);
sock_register_fail:
+ unregister_pernet_device(&kcm_net_ops);
+
+net_ops_fail:
proto_unregister(&kcm_proto);
fail:
@@ -2090,8 +2090,8 @@ static int __init kcm_init(void)
static void __exit kcm_exit(void)
{
kcm_proc_exit();
- unregister_pernet_device(&kcm_net_ops);
sock_unregister(PF_KCM);
+ unregister_pernet_device(&kcm_net_ops);
proto_unregister(&kcm_proto);
destroy_workqueue(kcm_wq);
--
2.21.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] kcm: switch order of device registration to fix a crash
2019-03-29 11:19 [PATCH] kcm: switch order of device registration to fix a crash Jiri Slaby
@ 2019-04-01 21:59 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2019-04-01 21:59 UTC (permalink / raw)
To: jslaby; +Cc: netdev, linux-kernel, mkubecek
From: Jiri Slaby <jslaby@suse.cz>
Date: Fri, 29 Mar 2019 12:19:46 +0100
> When kcm is loaded while many processes try to create a KCM socket, a
> crash occurs:
> BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
> IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
> PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
> Oops: 0002 [#1] SMP KASAN PTI
> CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
> RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
> RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
> ...
> CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
> Call Trace:
> kcm_create+0x600/0xbf0 [kcm]
> __sock_create+0x324/0x750 net/socket.c:1272
> ...
>
> This is due to race between sock_create and unfinished
> register_pernet_device. kcm_create tries to do "net_generic(net,
> kcm_net_id)". but kcm_net_id is not initialized yet.
>
> So switch the order of the two to close the race.
>
> This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
> and one process doing module removal.
>
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-01 21:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-29 11:19 [PATCH] kcm: switch order of device registration to fix a crash Jiri Slaby
2019-04-01 21:59 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).