From 94735ec4044a6d318b83ad3c5794e931ed168d10 Mon Sep 17 00:00:00 2001 From: Artem Bityutskiy Date: Mon, 18 Apr 2011 07:50:37 +0300 Subject: mtd: mtd_blkdevs: fix error path in blktrans_open The 'blktrans_open()' does not handle possible '__get_mtd_device()' failures because it does not check the error code. Moreover, the 'dev->tr->open()' failures are not handled correctly because in this case the function just goes ahead and gets the mtd device, then returns an error. But Instead, it should _not_ try to get the mtd device, then it should put back the module and the kref. This patch fixes the issue. Note, I only compile-tested it. This patch was inspired by a bug report about a similar issue in 2.6.34 kernels sent by Mike Turner to the MTD mailing list: http://lists.infradead.org/pipermail/linux-mtd/2011-April/034980.html Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c index a534e1f..ca38569 100644 --- a/drivers/mtd/mtd_blkdevs.c +++ b/drivers/mtd/mtd_blkdevs.c @@ -221,15 +221,33 @@ static int blktrans_open(struct block_device *bdev, fmode_t mode) kref_get(&dev->ref); __module_get(dev->tr->owner); - if (dev->mtd) { - ret = dev->tr->open ? dev->tr->open(dev) : 0; - __get_mtd_device(dev->mtd); + if (!dev->mtd) + goto unlock; + + if (dev->tr->open) { + ret = dev->tr->open(dev); + if (ret) + goto error_put; } + ret = __get_mtd_device(dev->mtd); + if (ret) + goto error_release; + unlock: mutex_unlock(&dev->lock); blktrans_dev_put(dev); return ret; + +error_release: + if (dev->tr->release) + dev->tr->release(dev); +error_put: + module_put(dev->tr->owner); + kref_put(&dev->ref, blktrans_dev_release); + mutex_unlock(&dev->lock); + blktrans_dev_put(dev); + return ret; } static int blktrans_release(struct gendisk *disk, fmode_t mode) -- cgit v0.10.2