crypto/crypto_user: don't overwrite net->crypto_nlsk on error

vegard · harshimogalapalli · commit 2f529cffbcbf · 2025-07-01T12:55:15.000-07:00
[ 16.602634] BUG: kernel NULL pointer dereference, address: 000000000000023e [ 16.605935] #PF: supervisor read access in kernel mode [ 16.608212] #PF: error_code(0x0000) - not-present page [ 16.610394] PGD 0 P4D 0 [ 16.611862] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 16.614116] CPU: 1 UID: 0 PID: 1141 Comm: sha512hmac Tainted: GF OE 6.12.0-0.7.5fips.el9uek.v12.ol9.x86_64 #1 [ 16.618140] Tainted: [F]=FORCED_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 16.620797] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.6.4 02/27/2023 [ 16.624072] RIP: 0010:netlink_unicast+0xf8/0x3a0 [ 16.626277] Code: df e8 2c c5 f9 ff 85 c0 0f 85 03 02 00 00 48 8d 54 24 08 48 89 e9 4c 89 e6 48 89 df e8 c1 fc ff ff 83 f8 01 0f 85 18 02 00 00 <0f> b7 85 3e 02 00 00 4c 8b 7d 30 48 8d 14 40 48 8d 1c 90 48 c1 e3 [ 16.633200] RSP: 0018:ffffb3a980d63958 EFLAGS: 00010202 [ 16.635681] RAX: 0000000000000000 RBX: 0000000000000040 RCX: 0000000000000000 [ 16.638819] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 16.641687] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 16.644414] R10: 0000000000000000 R11: 0000004000000080 R12: ffff9020de5b6f00 [ 16.647480] R13: 0000000000000475 R14: 0000000000000001 R15: ffffffff9e4c2f40 [ 16.650658] FS: 00007f11f613c740(0000) GS:ffff90236fc80000(0000) knlGS:0000000000000000 [ 16.654165] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.656847] CR2: 000000000000023e CR3: 0000000100ce0000 CR4: 00000000003506f0 [ 16.659808] Call Trace: [ 16.661202] <TASK> [ 16.662570] ? srso_return_thunk+0x5/0x5f [ 16.664506] ? show_trace_log_lvl+0x255/0x300 [ 16.666589] ? show_trace_log_lvl+0x255/0x300 [ 16.668611] ? crypto_report+0xcc/0x13a [fips_crypto_user] [ 16.671092] ? __die_body.cold+0x8/0x17 [ 16.673003] ? page_fault_oops+0x160/0x16b [ 16.674997] ? exc_page_fault+0x73/0x180 [ 16.676917] ? asm_exc_page_fault+0x26/0x30 [ 16.678966] ? netlink_unicast+0xf8/0x3a0 [ 16.680896] ? netlink_unicast+0x52/0x3a0 [ 16.682935] crypto_report+0xcc/0x13a [fips_crypto_user] [ 16.685240] crypto_user_rcv_msg+0xd6/0x1f0 [fips_crypto_user] [ 16.687846] ? crypto_alloc_tfmmem.isra.0+0x28/0x60 [fips140] [ 16.690434] ? __pfx_crypto_user_rcv_msg+0x10/0x10 [fips_crypto_user] [ 16.693132] netlink_rcv_skb+0x53/0x110 [ 16.695043] crypto_netlink_rcv+0x28/0x40 [fips_crypto_user] [ 16.697495] netlink_unicast+0x250/0x3a0 [ 16.699480] netlink_sendmsg+0x21b/0x47f [ 16.701266] ____sys_sendmsg+0x3af/0x3e0 [ 16.703135] ? srso_return_thunk+0x5/0x5f [ 16.705151] ___sys_sendmsg+0x9a/0xf0 [ 16.706912] __sys_sendmsg+0x7a/0xe0 [ 16.708664] do_syscall_64+0x8c/0x1b0 [ 16.710413] ? arch_exit_to_user_mode_prepare.isra.0+0x1e/0xd0 [ 16.712917] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 16.715218] RIP: 0033:0x7f11f624ea97 [ 16.716898] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 16.724038] RSP: 002b:00007ffe6714b2b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 16.727267] RAX: ffffffffffffffda RBX: 00005592acd469d0 RCX: 00007f11f624ea97 [ 16.730478] RDX: 0000000000000000 RSI: 00007ffe6714b2e0 RDI: 0000000000000004 [ 16.733559] RBP: 0000000000000004 R08: 000000000000000f R09: 0029323135616873 [ 16.736579] R10: 00007f11f62efc40 R11: 0000000000000246 R12: 00007ffe6714b460 [ 16.739661] R13: 0000559279c9e909 R14: 00007ffe6714b2e0 R15: 0000000000000010 [ 16.742802] </TASK> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
@@ -485,12 +485,17 @@ static void crypto_netlink_rcv(struct sk_buff *skb)
 
 static int __net_init crypto_netlink_init(struct net *net)
 {
+	struct sock *nlsk;
 	struct netlink_kernel_cfg cfg = {
 		.input	= crypto_netlink_rcv,
 	};
 
-	net->crypto_nlsk = netlink_kernel_create(net, NETLINK_CRYPTO, &cfg);
-	return net->crypto_nlsk == NULL ? -ENOMEM : 0;
+	nlsk = netlink_kernel_create(net, NETLINK_CRYPTO, &cfg);
+	if (!nlsk)
+		return -ENOMEM;
+
+	net->crypto_nlsk = nlsk;
+	return 0;
 }
 
 static void __net_exit crypto_netlink_exit(struct net *net)
