module: fix refptr allocation and release order

Impact: fix ref-after-free crash on failed module load Fix refptr bug: Change refptr allocation and release order not to access a module data structure pointed by 'mod' after freeing mod->module_core. This bug will cause kernel panic(e.g. failed to find undefined symbols). This bug was reported on systemtap bugzilla. http://sources.redhat.com/bugzilla/show_bug.cgi?id=9927 Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com> Cc: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
author: Masami Hiramatsu <mhiramat@redhat.com> 2009-03-16 18:13:36 -0400
committer: Rusty Russell <rusty@rustcorp.com.au> 2009-03-17 19:01:21 -0400
commit: 6e2b75740bed35df98b8113300579e13ed2ce848 (patch)
tree: 225f75f803450c728d546c755f7398b102f8cf3d /kernel/module.c
parent: ee568b25ee9e160b32d1aef73d8b2ee9c05d34db (diff)
1 files changed, 14 insertions, 12 deletions
diff --git a/kernel/module.c b/kernel/module.c
index ba22484a987e..1196f5d11700 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2015,14 +2015,6 @@ static noinline struct module *load_module(void __user *umod,
        if (err < 0)
                goto free_mod;
-#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
-        mod->refptr = percpu_modalloc(sizeof(local_t), __alignof__(local_t),
-                                      mod->name);
-        if (!mod->refptr) {
-                err = -ENOMEM;
-                goto free_mod;
-        }
-#endif
        if (pcpuindex) {
                /* We have a special allocation for this section. */
                percpu = percpu_modalloc(sechdrs[pcpuindex].sh_size,
@@ -2030,7 +2022,7 @@ static noinline struct module *load_module(void __user *umod,
                                         mod->name);
                if (!percpu) {
                        err = -ENOMEM;
-                        goto free_percpu;
+                        goto free_mod;
                }
                sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC;
                mod->percpu = percpu;
@@ -2082,6 +2074,14 @@ static noinline struct module *load_module(void __user *umod,
        /* Module has been moved. */
        mod = (void *)sechdrs[modindex].sh_addr;
+#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
+        mod->refptr = percpu_modalloc(sizeof(local_t), __alignof__(local_t),
+                                      mod->name);
+        if (!mod->refptr) {
+                err = -ENOMEM;
+                goto free_init;
+        }
+#endif
        /* Now we've moved module, initialize linked lists, etc. */
        module_unload_init(mod);
@@ -2288,15 +2288,17 @@ static noinline struct module *load_module(void __user *umod,
        ftrace_release(mod->module_core, mod->core_size);
 free_unload:
        module_unload_free(mod);
+ free_init:
+#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
+        percpu_modfree(mod->refptr);
+#endif
        module_free(mod, mod->module_init);
 free_core:
        module_free(mod, mod->module_core);
+        /* mod will be freed with core. Don't access it beyond this line! */
 free_percpu:
        if (percpu)
                percpu_modfree(percpu);
-#if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
-        percpu_modfree(mod->refptr);
-#endif
 free_mod:
        kfree(args);
 free_hdr:
author	Masami Hiramatsu <mhiramat@redhat.com>	2009-03-16 18:13:36 -0400
committer	Rusty Russell <rusty@rustcorp.com.au>	2009-03-17 19:01:21 -0400
commit	6e2b75740bed35df98b8113300579e13ed2ce848 (patch)
tree	225f75f803450c728d546c755f7398b102f8cf3d /kernel/module.c
parent	ee568b25ee9e160b32d1aef73d8b2ee9c05d34db (diff)