From: Dave Olien <dmo@osdl.org>
The raw.c character device Oopses dereferencing a NULL pointer in
bd_claim() This problem occurred after bd_claim() in block_dev.c was
modified to "claim the whole device when a partition is claimed".
raw_open() made the mistake of calling bd_claim BEFORE calling blkdev_get().
At that time, the bdev->bd_contains field has not yet been initialized.
Switching the order allows blkdev_get() to initialize those fields before
calling bd_claim().
Also fixed up some error return paths:
igrab() should never fail under these circumstances since the caller
already has a reference to that inode through the bdev at that time.
In the event of blkdev_get() failure or set_blocksize() failure, not all
the work to unwind from the error was done.
25-akpm/drivers/char/raw.c | 24 ++++++++++++------------
1 files changed, 12 insertions(+), 12 deletions(-)
diff -puN drivers/char/raw.c~raw-driver-fixes drivers/char/raw.c
--- 25/drivers/char/raw.c~raw-driver-fixes Thu Aug 28 16:09:29 2003
+++ 25-akpm/drivers/char/raw.c Thu Aug 28 16:09:29 2003
@@ -60,25 +60,25 @@ static int raw_open(struct inode *inode,
bdev = raw_devices[minor].binding;
err = -ENODEV;
if (bdev) {
- err = bd_claim(bdev, raw_open);
+ err = blkdev_get(bdev, filp->f_mode, 0, BDEV_RAW);
if (err)
goto out;
- err = -ENODEV;
- if (!igrab(bdev->bd_inode))
+ igrab(bdev->bd_inode);
+ err = bd_claim(bdev, raw_open);
+ if (err) {
+ blkdev_put(bdev, BDEV_RAW);
goto out;
- err = blkdev_get(bdev, filp->f_mode, 0, BDEV_RAW);
+ }
+ err = set_blocksize(bdev, bdev_hardsect_size(bdev));
if (err) {
bd_release(bdev);
+ blkdev_put(bdev, BDEV_RAW);
goto out;
- } else {
- err = set_blocksize(bdev, bdev_hardsect_size(bdev));
- if (err == 0) {
- filp->f_flags |= O_DIRECT;
- if (++raw_devices[minor].inuse == 1)
- filp->f_dentry->d_inode->i_mapping =
- bdev->bd_inode->i_mapping;
- }
}
+ filp->f_flags |= O_DIRECT;
+ if (++raw_devices[minor].inuse == 1)
+ filp->f_dentry->d_inode->i_mapping =
+ bdev->bd_inode->i_mapping;
}
filp->private_data = bdev;
out:
_