Details

[Home]

Issue of the Implementation # L0019

Brief

drivers/mtd/mtd_blkdevs.c: Unsafe use of function module_put

Detailed Description

In driver drivers/mtd/mtd_blkdevs.c.ldv.c in function blktrans_open:

  • 1. If in line 140 try_module_get(tr->owner) == 0, then we goto line 152 (label out_tr)
  • 2. In line 152 (label out_tr): calls module_put on the unloaded driver.
  • 131 static int blktrans_open(struct block_device *bdev, fmode_t mode)
    132 {
    133         struct mtd_blktrans_dev *dev = bdev->bd_disk->private_data;
    134         struct mtd_blktrans_ops *tr = dev->tr;
    135         int ret = -ENODEV;
    136
    137         if (!get_mtd_device(NULL, dev->mtd->index))
    138                 goto out;
    139
    140         if (!try_module_get(tr->owner))
    141                 goto out_tr;
    142
    143         /* FIXME: Locking. A hot pluggable device can go away
    144            (del_mtd_device can be called for it) without its module
    145            being unloaded. */
    146         dev->mtd->usecount++;
    147
    148         ret = 0;
    149         if (tr->open && (ret = tr->open(dev))) {
    150                 dev->mtd->usecount--;
    151                 put_mtd_device(dev->mtd);
    152         out_tr:
    153                 module_put(tr->owner);
    154         }
    155  out:
    156         return ret;
    157 }
    

    Reproducing

    replace

    141                 goto out_tr;
    
    with
    141                 goto out;
    

    Component

    linux-kernel 2.6.32.6

    Accepted

    http://lkml.org/lkml/2010/1/12/246
    commit

    Status

    Fixed in kernel 2.6.35

    [Home]