diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-11-05 17:45:59 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-11-05 17:45:59 -0700 |
commit | c093ee4f07f46d3a835841cafa07514fa94878d2 (patch) | |
tree | aafb816d450e3e3dd352c650b50fe2202919dd2c /drivers | |
parent | 433039e97f672b81e6c8f6daef385dcf035c6e29 (diff) |
floppy: fix use-after-free in module load failure path
Commit 488211844e0c ("floppy: switch to one queue per drive instead of
sharing a queue") introduced a use-after-free. We do "put_disk()" on
the disk device _before_ we then clean up the queue associated with that
disk.
Move the put_disk() down to avoid dereferencing a free'd data structure.
Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/block/floppy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 767107cce98..8f19b380ca8 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -4363,9 +4363,9 @@ out_unreg_blkdev: out_put_disk: while (dr--) { del_timer(&motor_off_timer[dr]); - put_disk(disks[dr]); if (disks[dr]->queue) blk_cleanup_queue(disks[dr]->queue); + put_disk(disks[dr]); } return err; } |