summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2010-11-05 17:45:59 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2010-11-05 17:45:59 -0700
commitc093ee4f07f46d3a835841cafa07514fa94878d2 (patch)
treeaafb816d450e3e3dd352c650b50fe2202919dd2c
parent433039e97f672b81e6c8f6daef385dcf035c6e29 (diff)
downloadlinux-3.10-c093ee4f07f46d3a835841cafa07514fa94878d2.tar.gz
linux-3.10-c093ee4f07f46d3a835841cafa07514fa94878d2.tar.bz2
linux-3.10-c093ee4f07f46d3a835841cafa07514fa94878d2.zip
floppy: fix use-after-free in module load failure path
Commit 488211844e0c ("floppy: switch to one queue per drive instead of sharing a queue") introduced a use-after-free. We do "put_disk()" on the disk device _before_ we then clean up the queue associated with that disk. Move the put_disk() down to avoid dereferencing a free'd data structure. Cc: Jens Axboe <jaxboe@fusionio.com> Cc: Vivek Goyal <vgoyal@redhat.com> Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/block/floppy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 767107cce98..8f19b380ca8 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -4363,9 +4363,9 @@ out_unreg_blkdev:
out_put_disk:
while (dr--) {
del_timer(&motor_off_timer[dr]);
- put_disk(disks[dr]);
if (disks[dr]->queue)
blk_cleanup_queue(disks[dr]->queue);
+ put_disk(disks[dr]);
}
return err;
}