summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVivek Goyal <vgoyal@redhat.com>2010-11-06 08:16:05 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-11-06 07:49:56 -0700
commitd017bf6b4ff57db16a481a48bdad79274610a403 (patch)
tree3b4cb3b4c3b5b024abdae29ec973cbd903afe6fc
parent151f52f09c5728ecfdd0c289da1a4b30bb416f2c (diff)
downloadlwn-d017bf6b4ff57db16a481a48bdad79274610a403.tar.gz
lwn-d017bf6b4ff57db16a481a48bdad79274610a403.zip
floppy: fix another use-after-free
While scanning the floopy code due to c093ee4f07f4 ("floppy: fix use-after-free in module load failure path"), I found one more instance of trying to access disk->queue pointer after doing put_disk() on gendisk. For some reason , floppy moule still loads/unloads fine. The object is probably still around with right pointer values. o There seems to be one more instance of trying to cleanup the request queue after we have called put_disk() on associated gendisk. o This fix is more out of code inspection. Even without this fix for some reason I am able to load/unload floppy module without any issues. o Floppy module loads/unloads fine after the fix. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/block/floppy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 8f19b380ca83..3951020e494a 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -4573,8 +4573,8 @@ static void __exit floppy_module_exit(void)
device_remove_file(&floppy_device[drive].dev, &dev_attr_cmos);
platform_device_unregister(&floppy_device[drive]);
}
- put_disk(disks[drive]);
blk_cleanup_queue(disks[drive]->queue);
+ put_disk(disks[drive]);
}
del_timer_sync(&fd_timeout);