[PATCH] Fix module load failure case

Milton Miller noticed a free-after-use problem in the cleanup path of a
failed module load.

The problem is that mod is moved to point from the sucked-in file
(always freed last) to the module core, after which time the
"free(mod->core), reference mod->percpu" sequence is bogus, eg.  when
the module_init function fails.

This is fixed by keeping the pointer in a local variable, which solves
the problem. We no longer need to reference the free'd data structure.

kernel/module.c

@@ -1366,7 +1366,7 @@ static struct module *load_module(void __user *umod,
 	long arglen;
 	struct module *mod;
 	long err = 0;
-	void *ptr = NULL; /* Stops spurious gcc uninitialized warning */
+	void *percpu = NULL, *ptr = NULL; /* Stops spurious gcc warning */
 
 	DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
 	       umod, len, uargs);
@@ -1496,13 +1496,14 @@ static struct module *load_module(void __user *umod,
 
 	if (pcpuindex) {
 		/* We have a special allocation for this section. */
-		mod->percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
-					      sechdrs[pcpuindex].sh_addralign);
-		if (!mod->percpu) {
+		percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
+					 sechdrs[pcpuindex].sh_addralign);
+		if (!percpu) {
 			err = -ENOMEM;
 			goto free_mod;
 		}
 		sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC;
+		mod->percpu = percpu;
 	}
 
 	/* Determine total sizes, and put offsets in sh_entsize.  For now
@@ -1643,8 +1644,8 @@ static struct module *load_module(void __user *umod,
  free_core:
 	module_free(mod, mod->module_core);
  free_percpu:
-	if (mod->percpu)
-		percpu_modfree(mod->percpu);
+	if (percpu)
+		percpu_modfree(percpu);
  free_mod:
 	kfree(args);
  free_hdr: