From c093ee4f07f46d3a835841cafa07514fa94878d2 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Fri, 5 Nov 2010 17:45:59 -0700 Subject: floppy: fix use-after-free in module load failure path Commit 488211844e0c ("floppy: switch to one queue per drive instead of sharing a queue") introduced a use-after-free. We do "put_disk()" on the disk device _before_ we then clean up the queue associated with that disk. Move the put_disk() down to avoid dereferencing a free'd data structure. Cc: Jens Axboe Cc: Vivek Goyal Reported-and-tested-by: Randy Dunlap Signed-off-by: Linus Torvalds --- drivers/block/floppy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/block') diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 767107cce982..8f19b380ca83 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -4363,9 +4363,9 @@ out_unreg_blkdev: out_put_disk: while (dr--) { del_timer(&motor_off_timer[dr]); - put_disk(disks[dr]); if (disks[dr]->queue) blk_cleanup_queue(disks[dr]->queue); + put_disk(disks[dr]); } return err; } -- cgit v1.2.3