floppy: fix use-after-free in module load failure path
Commit 488211844e
("floppy: switch to one queue per drive instead of
sharing a queue") introduced a use-after-free. We do "put_disk()" on
the disk device _before_ we then clean up the queue associated with that
disk.
Move the put_disk() down to avoid dereferencing a free'd data structure.
Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Reported-and-tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
433039e97f
commit
c093ee4f07
|
@ -4363,9 +4363,9 @@ out_unreg_blkdev:
|
|||
out_put_disk:
|
||||
while (dr--) {
|
||||
del_timer(&motor_off_timer[dr]);
|
||||
put_disk(disks[dr]);
|
||||
if (disks[dr]->queue)
|
||||
blk_cleanup_queue(disks[dr]->queue);
|
||||
put_disk(disks[dr]);
|
||||
}
|
||||
return err;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue