Commit 2c435ad4 authored by Rusty Russell's avatar Rusty Russell Committed by Linus Torvalds

[PATCH] Fix module load failure case

Milton Miller noticed a free-after-use problem in the cleanup path of a
failed module load.

The problem is that mod is moved to point from the sucked-in file
(always freed last) to the module core, after which time the
"free(mod->core), reference mod->percpu" sequence is bogus, eg.  when
the module_init function fails.

This is fixed by keeping the pointer in a local variable, which solves
the problem. We no longer need to reference the free'd data structure.
parent 059a30e3
......@@ -1366,7 +1366,7 @@ static struct module *load_module(void __user *umod,
long arglen;
struct module *mod;
long err = 0;
void *ptr = NULL; /* Stops spurious gcc uninitialized warning */
void *percpu = NULL, *ptr = NULL; /* Stops spurious gcc warning */
DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
umod, len, uargs);
......@@ -1496,13 +1496,14 @@ static struct module *load_module(void __user *umod,
if (pcpuindex) {
/* We have a special allocation for this section. */
mod->percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
sechdrs[pcpuindex].sh_addralign);
if (!mod->percpu) {
percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
sechdrs[pcpuindex].sh_addralign);
if (!percpu) {
err = -ENOMEM;
goto free_mod;
}
sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC;
mod->percpu = percpu;
}
/* Determine total sizes, and put offsets in sh_entsize. For now
......@@ -1643,8 +1644,8 @@ static struct module *load_module(void __user *umod,
free_core:
module_free(mod, mod->module_core);
free_percpu:
if (mod->percpu)
percpu_modfree(mod->percpu);
if (percpu)
percpu_modfree(percpu);
free_mod:
kfree(args);
free_hdr:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment