Commit c093ee4f authored by Linus Torvalds's avatar Linus Torvalds

floppy: fix use-after-free in module load failure path

Commit 48821184 ("floppy: switch to one queue per drive instead of
sharing a queue") introduced a use-after-free.  We do "put_disk()" on
the disk device _before_ we then clean up the queue associated with that
disk.

Move the put_disk() down to avoid dereferencing a free'd data structure.

Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Reported-and-tested-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 433039e9
...@@ -4363,9 +4363,9 @@ static int __init floppy_init(void) ...@@ -4363,9 +4363,9 @@ static int __init floppy_init(void)
out_put_disk: out_put_disk:
while (dr--) { while (dr--) {
del_timer(&motor_off_timer[dr]); del_timer(&motor_off_timer[dr]);
put_disk(disks[dr]);
if (disks[dr]->queue) if (disks[dr]->queue)
blk_cleanup_queue(disks[dr]->queue); blk_cleanup_queue(disks[dr]->queue);
put_disk(disks[dr]);
} }
return err; return err;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment