From: Tong Zhang <ztong0001@xxxxxxxxx> Subject: binfmt_misc: fix crash when load/unload module We should unregister the table upon module unload otherwise something horrible will happen when we load binfmt_misc module again. Also note that we should keep value returned by register_sysctl_mount_point() and release it later, otherwise it will leak. Also, per Christian's comment, to fully restore the old behavior that won't break userspace the check(binfmt_misc_header) should be eliminated. reproduce: modprobe binfmt_misc modprobe -r binfmt_misc modprobe binfmt_misc modprobe -r binfmt_misc modprobe binfmt_misc [ 18.032038] Call Trace: [ 18.032108] <TASK> [ 18.032169] dump_stack_lvl+0x34/0x44 [ 18.032273] __register_sysctl_table+0x6f4/0x720 [ 18.032397] ? preempt_count_sub+0xf/0xb0 [ 18.032508] ? 0xffffffffc0040000 [ 18.032600] init_misc_binfmt+0x2d/0x1000 [binfmt_misc] [ 18.042520] binfmt_misc: Failed to create fs/binfmt_misc sysctl mount point modprobe: can't load module binfmt_misc (kernel/fs/binfmt_misc.ko): Cannot allocate memory [ 18.063549] binfmt_misc: Failed to create fs/binfmt_misc sysctl mount point [ 18.204779] BUG: unable to handle page fault for address: fffffbfff8004802 Link: https://lkml.kernel.org/r/20220124181812.1869535-2-ztong0001@xxxxxxxxx Fixes: 3ba442d5331f ("fs: move binfmt_misc sysctl to its own file") Signed-off-by: Tong Zhang <ztong0001@xxxxxxxxx> Co-developed-by: Christian Brauner<brauner@xxxxxxxxxx> Acked-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Iurii Zaikin <yzaikin@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/binfmt_misc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/fs/binfmt_misc.c~binfmt_misc-fix-crash-when-load-unload-module +++ a/fs/binfmt_misc.c @@ -817,20 +817,20 @@ static struct file_system_type bm_fs_typ }; MODULE_ALIAS_FS("binfmt_misc"); +static struct ctl_table_header *binfmt_misc_header; + static int __init init_misc_binfmt(void) { int err = register_filesystem(&bm_fs_type); if (!err) insert_binfmt(&misc_format); - if (!register_sysctl_mount_point("fs/binfmt_misc")) { - pr_warn("Failed to create fs/binfmt_misc sysctl mount point"); - return -ENOMEM; - } + binfmt_misc_header = register_sysctl_mount_point("fs/binfmt_misc"); return 0; } static void __exit exit_misc_binfmt(void) { + unregister_sysctl_table(binfmt_misc_header); unregister_binfmt(&misc_format); unregister_filesystem(&bm_fs_type); } _