diff options
author | Rusty Russell <rusty@rustcorp.com.au> | 2010-05-31 06:23:50 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-31 14:21:32 -0400 |
commit | 293a7cfeedc2b2380a7c7274902323c3cf5f7575 (patch) | |
tree | 00576870400cb640fe92ea3f525338e6e3733a2e /kernel/module.c | |
parent | 67a3e12b05e055c0415c556a315a3d3eb637e29e (diff) |
module: fix reference to mod->percpu after freeing module.
Rafael sees a sometimes crash at precpu_modfree from kernel/module.c; it
only occurred with another (since-reverted) patch, but that patch simply
changed timing to uncover this bug, it was otherwise unrelated.
The comment about the mod being freed is self-explanatory, but neither
Tejun nor I read it. This bug was introduced in 259354deaa, after it
had previously been fixed in 6e2b75740b. How embarrassing.
Reported-by: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Embarrassingly-Acked-by: Tejun Heo <tj@kernel.org>
Cc: Masami Hiramatsu <mhiramat@redhat.com>
Tested-by: "Rafael J. Wysocki" <rjw@sisk.pl>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/module.c')
-rw-r--r-- | kernel/module.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/kernel/module.c b/kernel/module.c index 333fbcc96978..d806e00e4450 100644 --- a/kernel/module.c +++ b/kernel/module.c | |||
@@ -2014,6 +2014,7 @@ static noinline struct module *load_module(void __user *umod, | |||
2014 | long err = 0; | 2014 | long err = 0; |
2015 | void *ptr = NULL; /* Stops spurious gcc warning */ | 2015 | void *ptr = NULL; /* Stops spurious gcc warning */ |
2016 | unsigned long symoffs, stroffs, *strmap; | 2016 | unsigned long symoffs, stroffs, *strmap; |
2017 | void __percpu *percpu; | ||
2017 | 2018 | ||
2018 | mm_segment_t old_fs; | 2019 | mm_segment_t old_fs; |
2019 | 2020 | ||
@@ -2158,6 +2159,8 @@ static noinline struct module *load_module(void __user *umod, | |||
2158 | goto free_mod; | 2159 | goto free_mod; |
2159 | sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC; | 2160 | sechdrs[pcpuindex].sh_flags &= ~(unsigned long)SHF_ALLOC; |
2160 | } | 2161 | } |
2162 | /* Keep this around for failure path. */ | ||
2163 | percpu = mod_percpu(mod); | ||
2161 | 2164 | ||
2162 | /* Determine total sizes, and put offsets in sh_entsize. For now | 2165 | /* Determine total sizes, and put offsets in sh_entsize. For now |
2163 | this is done generically; there doesn't appear to be any | 2166 | this is done generically; there doesn't appear to be any |
@@ -2463,7 +2466,7 @@ static noinline struct module *load_module(void __user *umod, | |||
2463 | module_free(mod, mod->module_core); | 2466 | module_free(mod, mod->module_core); |
2464 | /* mod will be freed with core. Don't access it beyond this line! */ | 2467 | /* mod will be freed with core. Don't access it beyond this line! */ |
2465 | free_percpu: | 2468 | free_percpu: |
2466 | percpu_modfree(mod); | 2469 | free_percpu(percpu); |
2467 | free_mod: | 2470 | free_mod: |
2468 | kfree(args); | 2471 | kfree(args); |
2469 | kfree(strmap); | 2472 | kfree(strmap); |