[Home]

Issue of the Implementation # L0019

Brief

drivers/mtd/mtd_blkdevs.c: Unsafe use of function module_put

Detailed Description

In driver drivers/mtd/mtd_blkdevs.c.ldv.c in function blktrans_open:

1. If in line 140 try_module_get(tr->owner) == 0, then we goto line 152 (label out_tr)

2. In line 152 (label out_tr): calls module_put on the unloaded driver.

131 static int blktrans_open(struct block_device *bdev, fmode_t mode)
132 {
133         struct mtd_blktrans_dev *dev = bdev->bd_disk->private_data;
134         struct mtd_blktrans_ops *tr = dev->tr;
135         int ret = -ENODEV;
136
137         if (!get_mtd_device(NULL, dev->mtd->index))
138                 goto out;
139
140         if (!try_module_get(tr->owner))
141                 goto out_tr;
142
143         /* FIXME: Locking. A hot pluggable device can go away
144            (del_mtd_device can be called for it) without its module
145            being unloaded. */
146         dev->mtd->usecount++;
147
148         ret = 0;
149         if (tr->open && (ret = tr->open(dev))) {
150                 dev->mtd->usecount--;
151                 put_mtd_device(dev->mtd);
152         out_tr:
153                 module_put(tr->owner);
154         }
155  out:
156         return ret;
157 }

Reproducing

replace

141                 goto out_tr;

with

141                 goto out;

Component

linux-kernel 2.6.32.6

Accepted

http://lkml.org/lkml/2010/1/12/246
commit

Status

Fixed in kernel 2.6.35

[Home]