+ loop_probe-fix-return-value.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Thu, 10 May 2007 23:23:10 -0700

The patch titled
     loop_probe: fix return value
has been added to the -mm tree.  Its filename is
     loop_probe-fix-return-value.patch

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: loop_probe: fix return value
From: "Ken Chen" <kenchen@xxxxxxxxxx>

A BUG is actually triggered by the __module_get(THIS_MODULE) in
loop_set_fd.

It's a mis-understanding on what kobj_probe_t function is suppose to return
on success.  When we open loop device that has not been initialized, we
probe it via:

do_open
  get_gendisk
    kobj_lookup
      loop_probe

Notice that in kobj_lookup(), when p->probe() returns non-zero value (I
presume it is an -ERRNO), it breaks out of the loop and propagate the
return value, otherwise, loops back to the beginning of the for loop and
retry, and in there get_disk() will be called via p->lock() to get a ref
against the module.

kobj_look_up(...) {
retry:
        mutex_lock(domain->lock);
        for (p = domain->probes[MAJOR(dev) % 255]; p; p = p->next) {
        ...
        if (kobj)
                return kobj;
        goto retry;
}

So loop_probe() mistakenly returned wrong status and leads to future
oops on inconsistent module ref count.  The following patch fixes the
issue.

Signed-off-by: Ken Chen <kenchen@xxxxxxxxxx>
Cc: "Jeremy Fitzhardinge" <jeremy@xxxxxxxx>
Cc: "Peter Zijlstra" <a.p.zijlstra@xxxxxxxxx>
Cc: "Alexey Dobriyan" <adobriyan@xxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 drivers/block/loop.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff -puN drivers/block/loop.c~loop_probe-fix-return-value drivers/block/loop.c

--- a/drivers/block/loop.c~loop_probe-fix-return-value
+++ a/drivers/block/loop.c
@@ -1460,6 +1460,7 @@ static void loop_del_one(struct loop_dev
 	kfree(lo);
 }
 
+/* return NULL for success, or return non-zero value if there are error */
 static struct kobject *loop_probe(dev_t dev, int *part, void *data)
 {
 	unsigned int number = dev & MINORMASK;
@@ -1474,8 +1475,8 @@ static struct kobject *loop_probe(dev_t 
 	*part = 0;
 	if (IS_ERR(lo))
 		return (void *)lo;
-	else
-		return &lo->lo_disk->kobj;
+
+	return NULL;
 }
 
 static int __init loop_init(void)
_

Patches currently in -mm which might be from kenchen@xxxxxxxxxx are

origin.patch
loop_probe-fix-return-value.patch
cache-pipe-buf-page-address-for-non-highmem-arch.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




