From d5494acb88aa9dd1325079c9b8855008a52c19b3 Mon Sep 17 00:00:00 2001 From: Xin Long Date: Tue, 20 Jun 2017 15:42:38 +0800 Subject: [PATCH] dccp: call inet_add_protocol after register_pernet_subsys in dccp_v4_init Now dccp_ipv4 works as a kernel module. During loading this module, if one dccp packet is being recieved after inet_add_protocol but before register_pernet_subsys in which v4_ctl_sk is initialized, a null pointer dereference may be triggered because of init_net.dccp.v4_ctl_sk is 0x0. Jianlin found this issue when the following call trace occurred: [ 171.950177] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110 [ 171.951007] IP: [] dccp_v4_ctl_send_reset+0xc4/0x220 [dccp_ipv4] [...] [ 171.984629] Call Trace: [ 171.984859] [ 171.985061] [ 171.985213] [] dccp_v4_rcv+0x383/0x3f9 [dccp_ipv4] [ 171.985711] [] ip_local_deliver_finish+0xb4/0x1f0 [ 171.986309] [] ip_local_deliver+0x59/0xd0 [ 171.986852] [] ? update_curr+0x104/0x190 [ 171.986956] [] ip_rcv_finish+0x8a/0x350 [ 171.986956] [] ip_rcv+0x2b6/0x410 [ 171.986956] [] ? task_cputime+0x44/0x80 [ 171.986956] [] __netif_receive_skb_core+0x572/0x7c0 [ 171.986956] [] ? trigger_load_balance+0x61/0x1e0 [ 171.986956] [] __netif_receive_skb+0x18/0x60 [ 171.986956] [] process_backlog+0xae/0x180 [ 171.986956] [] net_rx_action+0x16d/0x380 [ 171.986956] [] __do_softirq+0xef/0x280 [ 171.986956] [] call_softirq+0x1c/0x30 This patch is to move inet_add_protocol after register_pernet_subsys in dccp_v4_init, so that v4_ctl_sk is initialized before any incoming dccp packets are processed. Reported-by: Jianlin Shi Signed-off-by: Xin Long Signed-off-by: David S. Miller --- net/dccp/ipv4.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index f75482bdee9a..f85d901f4e3f 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -1033,33 +1033,34 @@ static int __init dccp_v4_init(void) { int err = proto_register(&dccp_v4_prot, 1); - if (err != 0) + if (err) goto out; - err = inet_add_protocol(&dccp_v4_protocol, IPPROTO_DCCP); - if (err != 0) - goto out_proto_unregister; - inet_register_protosw(&dccp_v4_protosw); err = register_pernet_subsys(&dccp_v4_ops); if (err) goto out_destroy_ctl_sock; + + err = inet_add_protocol(&dccp_v4_protocol, IPPROTO_DCCP); + if (err) + goto out_proto_unregister; + out: return err; +out_proto_unregister: + unregister_pernet_subsys(&dccp_v4_ops); out_destroy_ctl_sock: inet_unregister_protosw(&dccp_v4_protosw); - inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP); -out_proto_unregister: proto_unregister(&dccp_v4_prot); goto out; } static void __exit dccp_v4_exit(void) { + inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP); unregister_pernet_subsys(&dccp_v4_ops); inet_unregister_protosw(&dccp_v4_protosw); - inet_del_protocol(&dccp_v4_protocol, IPPROTO_DCCP); proto_unregister(&dccp_v4_prot); } -- 2.20.1