mtd: mtd_blkdevs: fix error path in blktrans_open

The 'blktrans_open()' does not handle possible '__get_mtd_device()' failures because it does not check the error code. Moreover, the 'dev->tr->open()' failures are not handled correctly because in this case the function just goes ahead and gets the mtd device, then returns an error. But Instead, it should _not_ try to get the mtd device, then it should put back the module and the kref. This patch fixes the issue. Note, I only compile-tested it. This patch was inspired by a bug report about a similar issue in 2.6.34 kernels sent by Mike Turner <admin@islandsoftware.co.uk> to the MTD mailing list: http://lists.infradead.org/pipermail/linux-mtd/2011-April/034980.html Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

mtd: mtd_blkdevs: fix error path in blktrans_open
The 'blktrans_open()' does not handle possible '__get_mtd_device()' failures because it does not check the error code. Moreover, the 'dev->tr->open()' failures are not handled correctly because in this case the function just goes ahead and gets the mtd device, then returns an error. But Instead, it should _not_ try to get the mtd device, then it should put back the module and the kref. This patch fixes the issue. Note, I only compile-tested it. This patch was inspired by a bug report about a similar issue in 2.6.34 kernels sent by Mike Turner <admin@islandsoftware.co.uk> to the MTD mailing list: http://lists.infradead.org/pipermail/linux-mtd/2011-April/034980.html Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Artem Bityutskiy · David Woodhouse
1 parent 5c39c4c54c
Showing 1 changed file with 21 additions and 3 deletions Side-by-side Diff
drivers/mtd/mtd_blkdevs.c
@@ -221,12 +221,30 @@
 	kref_get(&dev->ref);
 	__module_get(dev->tr->owner);
  
-	if (dev->mtd) {
-		ret = dev->tr->open ? dev->tr->open(dev) : 0;
-		__get_mtd_device(dev->mtd);
+	if (!dev->mtd)
+		goto unlock;
+
+	if (dev->tr->open) {
+		ret = dev->tr->open(dev);
+		if (ret)
+			goto error_put;
 	}
  
+	ret = __get_mtd_device(dev->mtd);
+	if (ret)
+		goto error_release;
+
 unlock:
+	mutex_unlock(&dev->lock);
+	blktrans_dev_put(dev);
+	return ret;
+
+error_release:
+	if (dev->tr->release)
+		dev->tr->release(dev);
+error_put:
+	module_put(dev->tr->owner);
+	kref_put(&dev->ref, blktrans_dev_release);
 	mutex_unlock(&dev->lock);
 	blktrans_dev_put(dev);
 	return ret;
...	...	@@ -221,12 +221,30 @@
221	221	kref_get(&dev->ref);
222	222	__module_get(dev->tr->owner);
223	223
224		- if (dev->mtd) {
225		- ret = dev->tr->open ? dev->tr->open(dev) : 0;
226		- __get_mtd_device(dev->mtd);
	224	+ if (!dev->mtd)
	225	+ goto unlock;
	226	+
	227	+ if (dev->tr->open) {
	228	+ ret = dev->tr->open(dev);
	229	+ if (ret)
	230	+ goto error_put;
227	231	}
228	232
	233	+ ret = __get_mtd_device(dev->mtd);
	234	+ if (ret)
	235	+ goto error_release;
	236	+
229	237	unlock:
	238	+ mutex_unlock(&dev->lock);
	239	+ blktrans_dev_put(dev);
	240	+ return ret;
	241	+
	242	+error_release:
	243	+ if (dev->tr->release)
	244	+ dev->tr->release(dev);
	245	+error_put:
	246	+ module_put(dev->tr->owner);
	247	+ kref_put(&dev->ref, blktrans_dev_release);
230	248	mutex_unlock(&dev->lock);
231	249	blktrans_dev_put(dev);
232	250	return ret;