Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp14289027pxu; Mon, 4 Jan 2021 19:30:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjlbJVuQDMYW8kxTaHjLv9lAT8vZOuDkeGdw56aXIfBYCfRjga93fnOqD7r6BQjoivG3ae X-Received: by 2002:a17:906:4544:: with SMTP id s4mr68053129ejq.366.1609817431056; Mon, 04 Jan 2021 19:30:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609817431; cv=none; d=google.com; s=arc-20160816; b=lS32MYoR9pzIC0qq+m2MiFiofcDVMl1H4NB7QobN95E/u4cwMwwgKQFGkOQbVIEtEJ kCEQcElTFeTXZBySEmMFXADWiP2qfE5iHydyqZ+9syPvLitUCaty69PyB6rkKYlN5rFn yX5bR/FMDpX7v0l/h/gfdY192e0/yYNwDXb+uxspbdzCq2jURQoXwEGD2V47DFSzaZcT Ep/97sKPOkKHqZYVIpdHbXk8RPVpdmVcZGyxaD9Q41/n0lmt9h2SN3x/K9PuwIoXDqjB 0aKS533wqGZV5ENpExJNrqh8ef8Ji/W5UkyMIughtbN34+eJDcUF2PoAYYgp7mTwS7Gv GcPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=73KnpwqqEGakLlQSyDfC9dtgqKJcQAdP5RN4ypuxhHM=; b=O9o3IY5KpsFTxtVvMvLdsgf3XfgfKctmExOxv+P0MD/UyCB+v/VU7VJFUWvInG5o4y k1AD1mLP84+Fub9kEMiSm0CUfD2CDgdEuz5P6PpW+7RIgaTkqpqJ4USQkGxz9FWduAL5 YxhmGHNb57wUUG9mNpJSU7grFuNXHsLhUzwItRaci3Qp1W0eVWx73sKMMkrmMtaKmgAe ZvspBAyEZrqs4NMR3JOPN7vLPypa3ymnnDm/TFZtkh7/Vezwach2XNsdK4eFp5+768/j xAGgh79PGBqCBTJzYDZ/uPQo+wLdUu+qqfefyTVtjhXq+813ysdBcjyLKNYsbyXtX+L7 6XpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y22si32576717ejc.25.2021.01.04.19.30.08; Mon, 04 Jan 2021 19:30:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728215AbhAED2x (ORCPT + 99 others); Mon, 4 Jan 2021 22:28:53 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:10017 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727980AbhAED2x (ORCPT ); Mon, 4 Jan 2021 22:28:53 -0500 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4D8ybl5qZ4zj3GX; Tue, 5 Jan 2021 11:27:15 +0800 (CST) Received: from [10.174.176.75] (10.174.176.75) by smtp.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.498.0; Tue, 5 Jan 2021 11:28:02 +0800 Subject: Re: [PATCH] net: qrtr: fix null-ptr-deref in qrtr_ns_remove To: Qinglang Miao , "David S. Miller" , Jakub Kicinski CC: "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" References: <20210105024051.150451-1-miaoqinglang@huawei.com> From: "weiyongjun (A)" Message-ID: Date: Tue, 5 Jan 2021 11:28:02 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20210105024051.150451-1-miaoqinglang@huawei.com> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.176.75] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > A null-ptr-deref bug is reported by Hulk Robot like this: > -------------- > KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] > Call Trace: > qrtr_ns_remove+0x22/0x40 [ns] > qrtr_proto_fini+0xa/0x31 [qrtr] > __x64_sys_delete_module+0x337/0x4e0 > do_syscall_64+0x34/0x80 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > RIP: 0033:0x468ded > -------------- > > When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would > be called later on would raise a null-ptr-deref because qrtr_ns.workqueue > has been destroyed. > > Fix it by making qrtr_ns_init have a return value and adding a check in > qrtr_proto_init. > > Reported-by: Hulk Robot > Signed-off-by: Qinglang Miao > --- > net/qrtr/ns.c | 7 ++++--- > net/qrtr/qrtr.c | 14 +++++++++++--- > net/qrtr/qrtr.h | 2 +- > 3 files changed, 16 insertions(+), 7 deletions(-) > > diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c > index 56aaf8cb6..8d00dfe81 100644 > --- a/net/qrtr/ns.c > +++ b/net/qrtr/ns.c > @@ -755,7 +755,7 @@ static void qrtr_ns_data_ready(struct sock *sk) > queue_work(qrtr_ns.workqueue, &qrtr_ns.work); > } > > -void qrtr_ns_init(void) > +int qrtr_ns_init(void) > { > struct sockaddr_qrtr sq; > int ret; > @@ -766,7 +766,7 @@ void qrtr_ns_init(void) > ret = sock_create_kern(&init_net, AF_QIPCRTR, SOCK_DGRAM, > PF_QIPCRTR, &qrtr_ns.sock); > if (ret < 0) > - return; > + return ret; > > ret = kernel_getsockname(qrtr_ns.sock, (struct sockaddr *)&sq); > if (ret < 0) { > @@ -797,12 +797,13 @@ void qrtr_ns_init(void) > if (ret < 0) > goto err_wq; > > - return; > + return 0; > > err_wq: > destroy_workqueue(qrtr_ns.workqueue); > err_sock: > sock_release(qrtr_ns.sock); > + return ret; > } > EXPORT_SYMBOL_GPL(qrtr_ns_init); > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > index f4ab3ca6d..95533e451 100644 > --- a/net/qrtr/qrtr.c > +++ b/net/qrtr/qrtr.c > @@ -1288,12 +1288,20 @@ static int __init qrtr_proto_init(void) > > rc = sock_register(&qrtr_family); > if (rc) { > - proto_unregister(&qrtr_proto); > - return rc; > + goto err_proto; > } > braces {} are not necessary for single statement. > - qrtr_ns_init(); > + rc = qrtr_ns_init(); > + if (rc) { > + goto err_sock; > + } > > + return 0; > + > +err_sock: > + sock_unregister(qrtr_family.family); > +err_proto: > + proto_unregister(&qrtr_proto); > return rc; > } > postcore_initcall(qrtr_proto_init); > diff --git a/net/qrtr/qrtr.h b/net/qrtr/qrtr.h > index dc2b67f17..3f2d28696 100644 > --- a/net/qrtr/qrtr.h > +++ b/net/qrtr/qrtr.h > @@ -29,7 +29,7 @@ void qrtr_endpoint_unregister(struct qrtr_endpoint *ep); > > int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len); > > -void qrtr_ns_init(void); > +int qrtr_ns_init(void); > > void qrtr_ns_remove(void); >