diff options
| author | Masami Hiramatsu <mhiramat@redhat.com> | 2009-03-16 18:13:36 -0400 | 
|---|---|---|
| committer | Rusty Russell <rusty@rustcorp.com.au> | 2009-03-18 09:31:21 +1030 | 
| commit | 6e2b75740bed35df98b8113300579e13ed2ce848 (patch) | |
| tree | 225f75f803450c728d546c755f7398b102f8cf3d /kernel | |
| parent | ee568b25ee9e160b32d1aef73d8b2ee9c05d34db (diff) | |
module: fix refptr allocation and release order
Impact: fix ref-after-free crash on failed module load
Fix refptr bug: Change refptr allocation and release order not to access a module
data structure pointed by 'mod' after freeing mod->module_core.
This bug will cause kernel panic(e.g. failed to find undefined symbols).
This bug was reported on systemtap bugzilla.
http://sources.redhat.com/bugzilla/show_bug.cgi?id=9927
Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com>
Cc: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/module.c | 26 | 
1 files changed, 14 insertions, 12 deletions
| diff --git a/kernel/module.c b/kernel/module.c index ba22484a987..1196f5d1170 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2015,14 +2015,6 @@ static noinline struct module *load_module(void __user *umod,  	if (err < 0)  		goto free_mod; -#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP) -	mod->refptr = percpu_modalloc(sizeof(local_t), __alignof__(local_t), -				      mod->name); -	if (!mod->refptr) { -		err = -ENOMEM; -		goto free_mod; -	} -#endif  	if (pcpuindex) {  		/* We have a special allocation for this section. */  		percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size, @@ -2030,7 +2022,7 @@ static noinline struct module *load_module(void __user *umod,  					 mod->name);  		if (!percpu) {  			err = -ENOMEM; -			goto free_percpu; +			goto free_mod;  		}  		sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC;  		mod->percpu = percpu; @@ -2082,6 +2074,14 @@ static noinline struct module *load_module(void __user *umod,  	/* Module has been moved. */  	mod = (void *)sechdrs[modindex].sh_addr; +#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP) +	mod->refptr = percpu_modalloc(sizeof(local_t), __alignof__(local_t), +				      mod->name); +	if (!mod->refptr) { +		err = -ENOMEM; +		goto free_init; +	} +#endif  	/* Now we've moved module, initialize linked lists, etc. */  	module_unload_init(mod); @@ -2288,15 +2288,17 @@ static noinline struct module *load_module(void __user *umod,  	ftrace_release(mod->module_core, mod->core_size);   free_unload:  	module_unload_free(mod); + free_init: +#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP) +	percpu_modfree(mod->refptr); +#endif  	module_free(mod, mod->module_init);   free_core:  	module_free(mod, mod->module_core); +	/* mod will be freed with core. Don't access it beyond this line! */   free_percpu:  	if (percpu)  		percpu_modfree(percpu); -#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP) -	percpu_modfree(mod->refptr); -#endif   free_mod:  	kfree(args);   free_hdr: | 
