Skip to content

Commit

Permalink
module: ensure that kobject_put() is safe for module type kobjects
Browse files Browse the repository at this point in the history 
In 'lookup_or_create_module_kobject()', an internal kobject is created
using 'module_ktype'. So call to 'kobject_put()' on error handling
path causes an attempt to use an uninitialized completion pointer in
'module_kobject_release()'. In this scenario, we just want to release
kobject without an extra synchronization required for a regular module
unloading process, so adding an extra check whether 'complete()' is
actually required makes 'kobject_put()' safe.

Reported-by: syzbot+7fb8a372e1f6add936dd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7fb8a372e1f6add936dd
Fixes: 942e443 ("module: Fix mod->mkobj.kobj potentially freed too early")
Cc: stable@vger.kernel.org
Suggested-by: Petr Pavlu <petr.pavlu@suse.com>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://lore.kernel.org/r/20250507065044.86529-1-dmantipov@yandex.ru
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
  • Loading branch information
Dmitry Antipov authored and Petr Pavlu committed May 7, 2025
1 parent 92a09c4 commit a6aeb73
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion kernel/params.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -943,7 +943,9 @@ struct kset *module_kset;
static void module_kobj_release(struct kobject *kobj)
{
struct module_kobject *mk = to_module_kobject(kobj);
complete(mk->kobj_completion);

if (mk->kobj_completion)
complete(mk->kobj_completion);
}

const struct kobj_type module_ktype = {
Expand Down

0 comments on commit a6aeb73

Please sign in to comment.