[RHEL7,COMMIT] ms/dccp: call inet_add_protocol after register_pernet_subsys in dccp_v4_init

Submitted by Konstantin Khorenko on Jan. 31, 2018, 1:02 p.m.

Details

Message ID 201801311302.w0VD2lEe015629@finist_ce7.work
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Jan. 31, 2018, 1:02 p.m.
The commit is pushed to "branch-rh7-3.10.0-693.11.6.vz7.42.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.6.vz7.42.3
------>
commit 0b2737515ce7185c7b9881ce3c2f998de0d4abaf
Author: Xin Long <lucien.xin@gmail.com>
Date:   Wed Jan 31 16:02:47 2018 +0300

    ms/dccp: call inet_add_protocol after register_pernet_subsys in dccp_v4_init
    
    Backport of ms commit d5494acb88aa
    
    Now dccp_ipv4 works as a kernel module. During loading this module, if
    one dccp packet is being recieved after inet_add_protocol but before
    register_pernet_subsys in which v4_ctl_sk is initialized, a null pointer
    dereference may be triggered because of init_net.dccp.v4_ctl_sk is 0x0.
    
    Jianlin found this issue when the following call trace occurred:
    
    [  171.950177] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
    [  171.951007] IP: [<ffffffffc0558364>] dccp_v4_ctl_send_reset+0xc4/0x220 [dccp_ipv4]
    [...]
    [  171.984629] Call Trace:
    [  171.984859]  <IRQ>
    [  171.985061]
    [  171.985213]  [<ffffffffc0559a53>] dccp_v4_rcv+0x383/0x3f9 [dccp_ipv4]
    [  171.985711]  [<ffffffff815ca054>] ip_local_deliver_finish+0xb4/0x1f0
    [  171.986309]  [<ffffffff815ca339>] ip_local_deliver+0x59/0xd0
    [  171.986852]  [<ffffffff810cd7a4>] ? update_curr+0x104/0x190
    [  171.986956]  [<ffffffff815c9cda>] ip_rcv_finish+0x8a/0x350
    [  171.986956]  [<ffffffff815ca666>] ip_rcv+0x2b6/0x410
    [  171.986956]  [<ffffffff810c83b4>] ? task_cputime+0x44/0x80
    [  171.986956]  [<ffffffff81586f22>] __netif_receive_skb_core+0x572/0x7c0
    [  171.986956]  [<ffffffff810d2c51>] ? trigger_load_balance+0x61/0x1e0
    [  171.986956]  [<ffffffff81587188>] __netif_receive_skb+0x18/0x60
    [  171.986956]  [<ffffffff8158841e>] process_backlog+0xae/0x180
    [  171.986956]  [<ffffffff8158799d>] net_rx_action+0x16d/0x380
    [  171.986956]  [<ffffffff81090b7f>] __do_softirq+0xef/0x280
    [  171.986956]  [<ffffffff816b6a1c>] call_softirq+0x1c/0x30
    
    This patch is to move inet_add_protocol after register_pernet_subsys in
    dccp_v4_init, so that v4_ctl_sk is initialized before any incoming dccp
    packets are processed.
    
    Reported-by: Jianlin Shi <jishi@redhat.com>
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    https://jira.sw.ru/browse/PSBM-80708
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 net/dccp/ipv4.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 2062b727c406..0beaf986f087 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1057,33 +1057,34 @@  static int __init dccp_v4_init(void)
 {
 	int err = proto_register(&dccp_v4_prot, 1);
 
-	if (err != 0)
+	if (err)
 		goto out;
 
-	err = inet_add_protocol(&dccp_v4_protocol, IPPROTO_DCCP);
-	if (err != 0)
-		goto out_proto_unregister;
-
 	inet_register_protosw(&dccp_v4_protosw);
 
 	err = register_pernet_subsys(&dccp_v4_ops);
 	if (err)
 		goto out_destroy_ctl_sock;
+
+	err = inet_add_protocol(&dccp_v4_protocol, IPPROTO_DCCP);
+	if (err)
+		goto out_proto_unregister;
+
 out:
 	return err;
+out_proto_unregister:
+	unregister_pernet_subsys(&dccp_v4_ops);
 out_destroy_ctl_sock:
 	inet_unregister_protosw(&dccp_v4_protosw);
-	inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP);
-out_proto_unregister:
 	proto_unregister(&dccp_v4_prot);
 	goto out;
 }
 
 static void __exit dccp_v4_exit(void)
 {
+	inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP);
 	unregister_pernet_subsys(&dccp_v4_ops);
 	inet_unregister_protosw(&dccp_v4_protosw);
-	inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP);
 	proto_unregister(&dccp_v4_prot);
 }