xsk_init() registers the PF_XDP socket family before xsk_net_ops.
This exposes .create = xsk_create() to user space while per-netns
state (net->xdp.lock/list) is still uninitialized.

A task with CAP_NET_RAW can trigger this during boot/module load by
calling socket(PF_XDP/AF_XDP, SOCK_RAW, 0) concurrently with xsk_init(),
leading to NULL deref, list/lock corruption or use-after-free.

Register the pernet subsystem (and prerequisites) first and only then
sock_register() PF_XDP. Update the error unwind to match the new order.

Similar to CVE-2024-26793 (GTP init ordering bug).

Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 net/xdp/xsk.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index f093c3453f64..63b48e4b8b65 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -1922,10 +1922,6 @@ static int __init xsk_init(void)
 	if (err)
 		goto out;
 
-	err = sock_register(&xsk_family_ops);
-	if (err)
-		goto out_proto;
-
 	err = register_pernet_subsys(&xsk_net_ops);
 	if (err)
 		goto out_sk;
@@ -1942,16 +1938,20 @@ static int __init xsk_init(void)
 		goto out_unreg_notif;
 	}
 
+	err = sock_register(&xsk_family_ops);
+	if (err)
+		goto out_proto;
+
 	return 0;
 
 out_unreg_notif:
 	unregister_netdevice_notifier(&xsk_netdev_notifier);
 out_pernet:
 	unregister_pernet_subsys(&xsk_net_ops);
-out_sk:
-	sock_unregister(PF_XDP);
 out_proto:
 	proto_unregister(&xsk_proto);
+out_sk:
+	sock_unregister(PF_XDP);
 out:
 	return err;
 }
-- 
2.34.1