binfmt_misc: fix crash when load/unload module

lzto · torvalds · commit e7f1e8834b2b · 2022-01-30T09:56:58.000+02:00
We should unregister the table upon module unload otherwise something horrible will happen when we load binfmt_misc module again. Also note that we should keep value returned by register_sysctl_mount_point() and release it later, otherwise it will leak. Also, per Christian's comment, to fully restore the old behavior that won't break userspace the check(binfmt_misc_header) should be eliminated. To reproduce: modprobe binfmt_misc modprobe -r binfmt_misc modprobe binfmt_misc modprobe -r binfmt_misc modprobe binfmt_misc resulting in modprobe: can't load module binfmt_misc (kernel/fs/binfmt_misc.ko): Cannot allocate memory and an unhappy kernel: binfmt_misc: Failed to create fs/binfmt_misc sysctl mount point binfmt_misc: Failed to create fs/binfmt_misc sysctl mount point BUG: unable to handle page fault for address: fffffbfff8004802 Call Trace: init_misc_binfmt+0x2d/0x1000 [binfmt_misc] Link: https://lkml.kernel.org/r/20220124181812.1869535-2-ztong0001@gmail.com Fixes: 3ba442d ("fs: move binfmt_misc sysctl to its own file") Signed-off-by: Tong Zhang <ztong0001@gmail.com> Co-developed-by: Christian Brauner<brauner@kernel.org> Acked-by: Luis Chamberlain <mcgrof@kernel.org> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Iurii Zaikin <yzaikin@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
@@ -817,20 +817,20 @@ static struct file_system_type bm_fs_type = {
 };
 MODULE_ALIAS_FS("binfmt_misc");
 
+static struct ctl_table_header *binfmt_misc_header;
+
 static int __init init_misc_binfmt(void)
 {
 	int err = register_filesystem(&bm_fs_type);
 	if (!err)
 		insert_binfmt(&misc_format);
-	if (!register_sysctl_mount_point("fs/binfmt_misc")) {
-		pr_warn("Failed to create fs/binfmt_misc sysctl mount point");
-		return -ENOMEM;
-	}
+	binfmt_misc_header = register_sysctl_mount_point("fs/binfmt_misc");
 	return 0;
 }
 
 static void __exit exit_misc_binfmt(void)
 {
+	unregister_sysctl_table(binfmt_misc_header);
 	unregister_binfmt(&misc_format);
 	unregister_filesystem(&bm_fs_type);
 }

Original file line number	Diff line number	Diff line change
`@@ -817,20 +817,20 @@ static struct file_system_type bm_fs_type = {`
`817`	`817`	`};`
`818`	`818`	`MODULE_ALIAS_FS("binfmt_misc");`
`819`	`819`
	`820`	`+static struct ctl_table_header *binfmt_misc_header;`
	`821`	`+`
`820`	`822`	`static int __init init_misc_binfmt(void)`
`821`	`823`	`{`
`822`	`824`	`int err = register_filesystem(&bm_fs_type);`
`823`	`825`	`if (!err)`
`824`	`826`	`insert_binfmt(&misc_format);`
`825`		`- if (!register_sysctl_mount_point("fs/binfmt_misc")) {`
`826`		`- pr_warn("Failed to create fs/binfmt_misc sysctl mount point");`
`827`		`- return -ENOMEM;`
`828`		`- }`
	`827`	`+ binfmt_misc_header = register_sysctl_mount_point("fs/binfmt_misc");`
`829`	`828`	`return 0;`
`830`	`829`	`}`
`831`	`830`
`832`	`831`	`static void __exit exit_misc_binfmt(void)`
`833`	`832`	`{`
	`833`	`+ unregister_sysctl_table(binfmt_misc_header);`
`834`	`834`	`unregister_binfmt(&misc_format);`
`835`	`835`	`unregister_filesystem(&bm_fs_type);`
`836`	`836`	`}`