rds: Fix incorrect initialization order

Commit 65e542a82b5b ("rds/ib: handle rds uncongested notifications in
worker") introduced an additional initialization call for the
congestion monitor. This call was added at the end of the
initialization sequence.

This order implies that RDS could be up and kicking before the last
initialization call, and a NULL pointer dereference is possible, if a
user-space application starts to use RDS in close proximity in time
with module loading.

We then see the following stack trace:

BUG: kernel NULL pointer dereference, address: 0000000000000010
PGD 8000000129853067 P4D 8000000129853067 PUD 129854067 PMD 0
Oops: 0002 [#1] SMP PTI
CPU: 2 PID: 4396 Comm: 610dab0edd8b4ee Not tainted 5.4.17-2136.301.1.el7uek.x86_64 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:_raw_write_lock_irqsave+0x22/0x3a
RSP: 0018:ffff9a0040bebdd0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000286 RCX: 00000000000000ff
RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000010
RBP: ffff9a0040bebdd8 R08: ffff8a2ae9a3e7e0 R09: 0000000000000000
R10: 0000000000000008 R11: ffff8a2ae9c37b00 R12: ffff8a2ae9a3e6e0
R13: ffff8a2ae9c37a80 R14: ffff8a2ac7d5fe20 R15: ffff8a2af678e8f0
FS:  000000000236c980(0000) GS:ffff8a2afbd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 00000001299ac000 CR4: 00000000000006e0
Call Trace:
 rds_cong_remove_socket+0x28/0xf0 [rds]
 rds_release+0x61/0x130 [rds]
 __sock_release+0x42/0xb7
 sock_close+0x15/0x19
 __fput+0xc6/0x257
 ____fput+0xe/0x10
 task_work_run+0x71/0xa2
 exit_to_usermode_loop+0xc8/0x122
 do_syscall_64+0x19a/0x1d9
 entry_SYSCALL_64_after_hwframe+0x170/0x0

Fixed by changing the initialization order.

Orabug: 33923370

Fixes: 65e542a82b5b ("rds/ib: handle rds uncongested notifications in worker")
Reported-by: syzkaller
Reported-by: george kennedy <george.kennedy@oracle.com>
Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Tested-by: george kennedy <george.kennedy@oracle.com>
Reviewed-by: Hans Westgaard Ry <hans.westgaard.ry@oracle.com>

Author: Hakon-Bugge

net/rds/af_rds.c

@@ -1443,17 +1443,16 @@ static int __init rds_init(void)
 	ret = rds_stats_init();
 	if (ret)
 		goto out_sysctl;
-	ret = proto_register(&rds_proto, 1);
+	ret = rds_cong_monitor_init();
 	if (ret)
 		goto out_stats;
+	ret = proto_register(&rds_proto, 1);
+	if (ret)
+		goto out_cong;
 	ret = sock_register(&rds_family_ops);
 	if (ret)
 		goto out_proto;
 
-	ret = rds_cong_monitor_init();
-	if (ret)
-		goto out_sock;
-
 	rds_info_register_func(RDS_INFO_SOCKETS, rds_sock_info);
 	rds_info_register_func(RDS_INFO_RECV_MESSAGES, rds_sock_inc_info);
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1465,10 +1464,10 @@ static int __init rds_init(void)
 
 	goto out;
 
-out_sock:
-	sock_unregister(rds_family_ops.family);
 out_proto:
 	proto_unregister(&rds_proto);
+out_cong:
+	rds_cong_exit();
 out_stats:
 	rds_stats_exit();
 out_sysctl:
@@ -1477,7 +1476,6 @@ static int __init rds_init(void)
 	rds_threads_exit();
 out_conn:
 	rds_conn_exit();
-	rds_cong_exit();
 	rds_page_exit();
 out_slab:
 	kmem_cache_destroy(rds_rs_buf_info_slab);