[PATCH AUTOSEL for 4.4 057/162] dccp: call inet_add_protocol after register_pernet_subsys in dccp_v4_init

2018-04-08 Thread Sasha Levin 
From: Xin Long 

[ Upstream commit d5494acb88aa9dd1325079c9b8855008a52c19b3 ]

Now dccp_ipv4 works as a kernel module. During loading this module, if
one dccp packet is being recieved after inet_add_protocol but before
register_pernet_subsys in which v4_ctl_sk is initialized, a null pointer
dereference may be triggered because of init_net.dccp.v4_ctl_sk is 0x0.

Jianlin found this issue when the following call trace occurred:

[  171.950177] BUG: unable to handle kernel NULL pointer dereference at 
0110
[  171.951007] IP: [] dccp_v4_ctl_send_reset+0xc4/0x220 
[dccp_ipv4]
[...]
[  171.984629] Call Trace:
[  171.984859]  
[  171.985061]
[  171.985213]  [] dccp_v4_rcv+0x383/0x3f9 [dccp_ipv4]
[  171.985711]  [] ip_local_deliver_finish+0xb4/0x1f0
[  171.986309]  [] ip_local_deliver+0x59/0xd0
[  171.986852]  [] ? update_curr+0x104/0x190
[  171.986956]  [] ip_rcv_finish+0x8a/0x350
[  171.986956]  [] ip_rcv+0x2b6/0x410
[  171.986956]  [] ? task_cputime+0x44/0x80
[  171.986956]  [] __netif_receive_skb_core+0x572/0x7c0
[  171.986956]  [] ? trigger_load_balance+0x61/0x1e0
[  171.986956]  [] __netif_receive_skb+0x18/0x60
[  171.986956]  [] process_backlog+0xae/0x180
[  171.986956]  [] net_rx_action+0x16d/0x380
[  171.986956]  [] __do_softirq+0xef/0x280
[  171.986956]  [] call_softirq+0x1c/0x30

This patch is to move inet_add_protocol after register_pernet_subsys in
dccp_v4_init, so that v4_ctl_sk is initialized before any incoming dccp
packets are processed.

Reported-by: Jianlin Shi 
Signed-off-by: Xin Long 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 net/dccp/ipv4.c | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 6eb2bbf9873b..dfda437cd86b 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1033,33 +1033,34 @@ static int __init dccp_v4_init(void)
 {
int err = proto_register(_v4_prot, 1);
 
-   if (err != 0)
+   if (err)
goto out;
 
-   err = inet_add_protocol(_v4_protocol, IPPROTO_DCCP);
-   if (err != 0)
-   goto out_proto_unregister;
-
inet_register_protosw(_v4_protosw);
 
err = register_pernet_subsys(_v4_ops);
if (err)
goto out_destroy_ctl_sock;
+
+   err = inet_add_protocol(_v4_protocol, IPPROTO_DCCP);
+   if (err)
+   goto out_proto_unregister;
+
 out:
return err;
+out_proto_unregister:
+   unregister_pernet_subsys(_v4_ops);
 out_destroy_ctl_sock:
inet_unregister_protosw(_v4_protosw);
-   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
-out_proto_unregister:
proto_unregister(_v4_prot);
goto out;
 }
 
 static void __exit dccp_v4_exit(void)
 {
+   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
unregister_pernet_subsys(_v4_ops);
inet_unregister_protosw(_v4_protosw);
-   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
proto_unregister(_v4_prot);
 }
 
-- 
2.15.1

[PATCH AUTOSEL for 4.4 057/162] dccp: call inet_add_protocol after register_pernet_subsys in dccp_v4_init

2018-04-08 Thread Sasha Levin 
From: Xin Long 

[ Upstream commit d5494acb88aa9dd1325079c9b8855008a52c19b3 ]

Now dccp_ipv4 works as a kernel module. During loading this module, if
one dccp packet is being recieved after inet_add_protocol but before
register_pernet_subsys in which v4_ctl_sk is initialized, a null pointer
dereference may be triggered because of init_net.dccp.v4_ctl_sk is 0x0.

Jianlin found this issue when the following call trace occurred:

[  171.950177] BUG: unable to handle kernel NULL pointer dereference at 
0110
[  171.951007] IP: [] dccp_v4_ctl_send_reset+0xc4/0x220 
[dccp_ipv4]
[...]
[  171.984629] Call Trace:
[  171.984859]  
[  171.985061]
[  171.985213]  [] dccp_v4_rcv+0x383/0x3f9 [dccp_ipv4]
[  171.985711]  [] ip_local_deliver_finish+0xb4/0x1f0
[  171.986309]  [] ip_local_deliver+0x59/0xd0
[  171.986852]  [] ? update_curr+0x104/0x190
[  171.986956]  [] ip_rcv_finish+0x8a/0x350
[  171.986956]  [] ip_rcv+0x2b6/0x410
[  171.986956]  [] ? task_cputime+0x44/0x80
[  171.986956]  [] __netif_receive_skb_core+0x572/0x7c0
[  171.986956]  [] ? trigger_load_balance+0x61/0x1e0
[  171.986956]  [] __netif_receive_skb+0x18/0x60
[  171.986956]  [] process_backlog+0xae/0x180
[  171.986956]  [] net_rx_action+0x16d/0x380
[  171.986956]  [] __do_softirq+0xef/0x280
[  171.986956]  [] call_softirq+0x1c/0x30

This patch is to move inet_add_protocol after register_pernet_subsys in
dccp_v4_init, so that v4_ctl_sk is initialized before any incoming dccp
packets are processed.

Reported-by: Jianlin Shi 
Signed-off-by: Xin Long 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin 
---
 net/dccp/ipv4.c | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 6eb2bbf9873b..dfda437cd86b 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1033,33 +1033,34 @@ static int __init dccp_v4_init(void)
 {
int err = proto_register(_v4_prot, 1);
 
-   if (err != 0)
+   if (err)
goto out;
 
-   err = inet_add_protocol(_v4_protocol, IPPROTO_DCCP);
-   if (err != 0)
-   goto out_proto_unregister;
-
inet_register_protosw(_v4_protosw);
 
err = register_pernet_subsys(_v4_ops);
if (err)
goto out_destroy_ctl_sock;
+
+   err = inet_add_protocol(_v4_protocol, IPPROTO_DCCP);
+   if (err)
+   goto out_proto_unregister;
+
 out:
return err;
+out_proto_unregister:
+   unregister_pernet_subsys(_v4_ops);
 out_destroy_ctl_sock:
inet_unregister_protosw(_v4_protosw);
-   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
-out_proto_unregister:
proto_unregister(_v4_prot);
goto out;
 }
 
 static void __exit dccp_v4_exit(void)
 {
+   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
unregister_pernet_subsys(_v4_ops);
inet_unregister_protosw(_v4_protosw);
-   inet_del_protocol(_v4_protocol, IPPROTO_DCCP);
proto_unregister(_v4_prot);
 }
 
-- 
2.15.1