xsk_init() previously registered the PF_XDP socket family before the per-net subsystem and other prerequisites (netdevice notifier, caches) were fully initialized. This exposed .create = xsk_create() to user space while per-netns state (net->xdp.lock/list) was still uninitialized. A task with CAP_NET_RAW could trigger this during boot/module load by calling socket(PF_XDP, SOCK_RAW, 0) concurrently with xsk_init(), leading to a NULL pointer dereference or use-after-free in the list manipulation. To fix this, move sock_register() to the end of the initialization sequence, ensuring that all required kernel structures are ready before exposing the AF_XDP interface to userspace. Accordingly, reorder the error unwind path to ensure proper cleanup in reverse order of initialization. Also, explicitly add kmem_cache_destroy() in the error path to prevent leaking xsk_tx_generic_cache if the registration fails. Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt") Signed-off-by: Kery Qi --- net/xdp/xsk.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index f093c3453f64..58e9c61c29e0 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -1922,10 +1923,6 @@ static int __init xsk_init(void) if (err) goto out; - err = sock_register(&xsk_family_ops); - if (err) - goto out_proto; - err = register_pernet_subsys(&xsk_net_ops); if (err) goto out_sk; @@ -1942,16 +1939,21 @@ static int __init xsk_init(void) goto out_unreg_notif; } + err = sock_register(&xsk_family_ops); + if (err) + goto out_proto; + return 0; +out_proto: + proto_unregister(&xsk_proto); + kmem_cache_destroy(xsk_tx_generic_cache); out_unreg_notif: unregister_netdevice_notifier(&xsk_netdev_notifier); out_pernet: unregister_pernet_subsys(&xsk_net_ops); out_sk: sock_unregister(PF_XDP); -out_proto: - proto_unregister(&xsk_proto); out: return err; } -- 2.34.1