patch-2.4.22 linux-2.4.22/kernel/module.c

Next file: linux-2.4.22/kernel/printk.c
Previous file: linux-2.4.22/kernel/ksyms.c
Back to the patch index
Back to the overall index

diff -urN linux-2.4.21/kernel/module.c linux-2.4.22/kernel/module.c
@@ -345,10 +345,10 @@
 asmlinkage long
 sys_init_module(const char *name_user, struct module *mod_user)
 {
-	struct module mod_tmp, *mod;
+	struct module mod_tmp, *mod, *mod2 = NULL;
 	char *name, *n_name, *name_tmp = NULL;
 	long namelen, n_namelen, i, error;
-	unsigned long mod_user_size;
+	unsigned long mod_user_size, flags;
 	struct module_ref *dep;
 
 	if (!capable(CAP_SYS_MODULE))
@@ -387,11 +387,23 @@
 	}
 	strcpy(name_tmp, mod->name);
 
-	error = copy_from_user(mod, mod_user, mod_user_size);
+	/* Copying mod_user directly over mod breaks the module_list chain and
+	 * races against search_exception_table.  copy_from_user may sleep so it
+	 * cannot be under modlist_lock, do the copy in two stages.
+	 */
+	if (!(mod2 = vmalloc(mod_user_size))) {
+		error = -ENOMEM;
+		goto err2;
+	}
+	error = copy_from_user(mod2, mod_user, mod_user_size);
 	if (error) {
 		error = -EFAULT;
 		goto err2;
 	}
+	spin_lock_irqsave(&modlist_lock, flags);
+	memcpy(mod, mod2, mod_user_size);
+	mod->next = mod_tmp.next;
+	spin_unlock_irqrestore(&modlist_lock, flags);
 
 	/* Sanity check the size of the module.  */
 	error = -EINVAL;
@@ -505,7 +517,6 @@
 	   to make the I and D caches consistent.  */
 	flush_icache_range((unsigned long)mod, (unsigned long)mod + mod->size);
 
-	mod->next = mod_tmp.next;
 	mod->refs = NULL;
 
 	/* Sanity check the module's dependents */
@@ -571,6 +582,8 @@
 err1:
 	put_mod_name(name);
 err0:
+	if (mod2)
+		vfree(mod2);
 	unlock_kernel();
 	kfree(name_tmp);
 	return error;

FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)