diff options
| author | Jiri Slaby <jslaby@suse.cz> | 2019-03-29 12:19:46 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-04-01 14:59:20 -0700 |
| commit | 3c446e6f96997f2a95bf0037ef463802162d2323 (patch) | |
| tree | 97592244c45d13d7b2a4ea568e57b275b6d536c2 /net/sctp | |
| parent | c4df1bddc4306a08bc8ec6a65d34386388d2f42f (diff) | |
| download | linux-3c446e6f96997f2a95bf0037ef463802162d2323.tar.gz linux-3c446e6f96997f2a95bf0037ef463802162d2323.tar.bz2 linux-3c446e6f96997f2a95bf0037ef463802162d2323.zip | |
kcm: switch order of device registration to fix a crash
When kcm is loaded while many processes try to create a KCM socket, a
crash occurs:
BUG: unable to handle kernel NULL pointer dereference at 000000000000000e
IP: mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
PGD 8000000016ef2067 P4D 8000000016ef2067 PUD 3d6e9067 PMD 0
Oops: 0002 [#1] SMP KASAN PTI
CPU: 0 PID: 7005 Comm: syz-executor.5 Not tainted 4.12.14-396-default #1 SLE15-SP1 (unreleased)
RIP: 0010:mutex_lock+0x27/0x40 kernel/locking/mutex.c:240
RSP: 0018:ffff88000d487a00 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000000000000e RCX: 1ffff100082b0719
...
CR2: 000000000000000e CR3: 000000004b1bc003 CR4: 0000000000060ef0
Call Trace:
kcm_create+0x600/0xbf0 [kcm]
__sock_create+0x324/0x750 net/socket.c:1272
...
This is due to race between sock_create and unfinished
register_pernet_device. kcm_create tries to do "net_generic(net,
kcm_net_id)". but kcm_net_id is not initialized yet.
So switch the order of the two to close the race.
This can be reproduced with mutiple processes doing socket(PF_KCM, ...)
and one process doing module removal.
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp')
0 files changed, 0 insertions, 0 deletions