On Thu, Feb 29, 2024 at 11:37:28AM +0300, Vasiliy Kovalev wrote: [...]

This patch fixes another problem, but a similar one, since the sequence is incorrect when registering subsystems.

Initially, the registration sequence in the gtp module was as follows:

1. rtnl_link_register();

2. genl_register_family();

3. register_pernet_subsys();

During debugging of the module, when starting the syzkaller reproducer, it turned out that after genl_register_family() (2),

without waiting for register_pernet_subsys()(3), the /.dumpit/  event is triggered, in which the data of the unregistered pernet subsystem is accessed.

That is, the bug was fixed by the commit

136cfaca2256 ("gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()")[1]

and the registration sequence became as follows:

1. rtnl_link_register();

2. register_pernet_subsys();

3. genl_register_family();

However, syzkaller has discovered another problem:

after registering rtnl_link_register, the .newlink event is triggered, in which the data of the unregistered pernet subsystem is accessed.

This problem is reproducible on current stable kernels and the latest upstream kernel 6.8-rc6, in which the patch 136cfaca2256 [1] is applied.

Therefore, the correct sequence should be as follows:

1)register_pernet_subsys();

2. rtnl_link_register();

3. genl_register_family();

The proposed patch is developed on top of the commit changes [1], does not conflict with it and fixes the described bug.

[1] https://lore.kernel.org/lkml/20240220160434.29bcaf43@kernel.org/T/#mb1f72c2a...

Thanks for explaining, fix LGTM.