From patchwork Thu Nov 3 09:03:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chen Zhongjin X-Patchwork-Id: 14767 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp408735wru; Thu, 3 Nov 2022 02:13:57 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7UUjJy96LkNDkFWzjXKDcs9EowW8EBZOHSAuhHRoYv30Nz99Gj1zJr8P/SXGlfxdP0ohgF X-Received: by 2002:a17:90b:1d09:b0:213:ff80:17fd with SMTP id on9-20020a17090b1d0900b00213ff8017fdmr16039425pjb.14.1667466837426; Thu, 03 Nov 2022 02:13:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667466837; cv=none; d=google.com; s=arc-20160816; b=VotOcmDm5ZFk2zhmQjVDWQ0oDSw0PguccK/UlpHQ98XMeRrenLaHKXk1pQtQ63cqaH iEAFfWSutmR8FZJHbxSotNV3cBvDoPULUL9aGVZ8WMPKkbMjfKykd+1qQC+Y+j5Wl+KP ZSNsHqVwGUupNzFsNFqkuIggF5lt8l552CQm/vWYQ4na02tiObxDXY+gT5yvQruxDfJ1 1Pg62T4aDtdUMQxvdXRfvveVGP7xniKnUwFxagm0ZiwbMa5ka0Vk5RV5NKP0izLmBUu9 yu9Oq6AifcolwEW6GURgcF2Al90R+THbogL9RSOT793k2erWafRV0exTwk7X0eREGx66 vE5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=bzlJUreOvZP8SypwS3tLPzA0t2KT+BnghpxJ1ppv8p0=; b=Ifv2wFQFc0VWSymhQFM5g9tHBFQ2yy1vTdpuugVuZoUSavRMonytrkgVMF/lzdgQXd yhk+pRt1KteCLeUkNnw8Y57eJ7S/uOcKFWIANTdUDlL/i1/rw7zx9hTpmf7WqK3lF7qw w7yHx31g6e0Do/4SjIQSmeT5x/B+TfgdbzrHSlPTm2k8tr1TLybG/FUMGDbgKaJYKr+o 5yfWZVLEddva+hnTRIDOEs3w24eG26OQxbpGQnwWFgoqCx3Sg6YYULH1tDLwwIApP2kr +lnyroPRN4BZOgLN6V9/ogZ1NtgwyECme+CpKeM7BupyUBOOGH34i/ljeNnBIrNarmcy xoCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n24-20020a635c58000000b0045259b8b37esi388254pgm.714.2022.11.03.02.13.40; Thu, 03 Nov 2022 02:13:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231419AbiKCJHM (ORCPT + 99 others); Thu, 3 Nov 2022 05:07:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230435AbiKCJHJ (ORCPT ); Thu, 3 Nov 2022 05:07:09 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DAC4D122; Thu, 3 Nov 2022 02:07:08 -0700 (PDT) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.56]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4N2yYy1DMqz15MKK; Thu, 3 Nov 2022 17:07:02 +0800 (CST) Received: from dggpemm500013.china.huawei.com (7.185.36.172) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 3 Nov 2022 17:07:06 +0800 Received: from ubuntu1804.huawei.com (10.67.175.36) by dggpemm500013.china.huawei.com (7.185.36.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 3 Nov 2022 17:07:06 +0800 From: Chen Zhongjin To: , CC: , , , , , , , Subject: [PATCH net] net: ping6: Fix possible leaked pernet namespace in pingv6_init() Date: Thu, 3 Nov 2022 17:03:45 +0800 Message-ID: <20221103090345.187989-1-chenzhongjin@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-Originating-IP: [10.67.175.36] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm500013.china.huawei.com (7.185.36.172) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748465706575425692?= X-GMAIL-MSGID: =?utf-8?q?1748465706575425692?= When IPv6 module initializing in pingv6_init(), inet6_register_protosw() is possible to fail but returns without any error cleanup. This leaves wild ops in namespace list and when another module tries to add or delete pernet namespace it triggers page fault. Although IPv6 cannot be unloaded now, this error should still be handled to avoid kernel panic during IPv6 initialization. BUG: unable to handle page fault for address: fffffbfff80bab69 CPU: 0 PID: 434 Comm: modprobe RIP: 0010:unregister_pernet_operations+0xc9/0x450 Call Trace: unregister_pernet_subsys+0x31/0x3e nf_tables_module_exit+0x44/0x6a [nf_tables] __do_sys_delete_module.constprop.0+0x34f/0x5b0 ... Fix it by adding error handling in pingv6_init(), and add a helper function pingv6_ops_unset to avoid duplicate code. Fixes: d862e5461423 ("net: ipv6: Implement /proc/net/icmp6.") Signed-off-by: Chen Zhongjin --- net/ipv6/ping.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c index 86c26e48d065..5df688dd5208 100644 --- a/net/ipv6/ping.c +++ b/net/ipv6/ping.c @@ -277,10 +277,21 @@ static struct pernet_operations ping_v6_net_ops = { }; #endif +static void pingv6_ops_unset(void) +{ + pingv6_ops.ipv6_recv_error = dummy_ipv6_recv_error; + pingv6_ops.ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl; + pingv6_ops.ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl; + pingv6_ops.icmpv6_err_convert = dummy_icmpv6_err_convert; + pingv6_ops.ipv6_icmp_error = dummy_ipv6_icmp_error; + pingv6_ops.ipv6_chk_addr = dummy_ipv6_chk_addr; +} + int __init pingv6_init(void) { + int ret; #ifdef CONFIG_PROC_FS - int ret = register_pernet_subsys(&ping_v6_net_ops); + ret = register_pernet_subsys(&ping_v6_net_ops); if (ret) return ret; #endif @@ -291,7 +302,15 @@ int __init pingv6_init(void) pingv6_ops.icmpv6_err_convert = icmpv6_err_convert; pingv6_ops.ipv6_icmp_error = ipv6_icmp_error; pingv6_ops.ipv6_chk_addr = ipv6_chk_addr; - return inet6_register_protosw(&pingv6_protosw); + + ret = inet6_register_protosw(&pingv6_protosw); + if (ret) { + pingv6_ops_unset(); +#ifdef CONFIG_PROC_FS + unregister_pernet_subsys(&ping_v6_net_ops); +#endif + } + return ret; } /* This never gets called because it's not possible to unload the ipv6 module, @@ -299,12 +318,7 @@ int __init pingv6_init(void) */ void pingv6_exit(void) { - pingv6_ops.ipv6_recv_error = dummy_ipv6_recv_error; - pingv6_ops.ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl; - pingv6_ops.ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl; - pingv6_ops.icmpv6_err_convert = dummy_icmpv6_err_convert; - pingv6_ops.ipv6_icmp_error = dummy_ipv6_icmp_error; - pingv6_ops.ipv6_chk_addr = dummy_ipv6_chk_addr; + pingv6_ops_unset(); #ifdef CONFIG_PROC_FS unregister_pernet_subsys(&ping_v6_net_ops); #endif