floppy: fix use-after-free in module load failure path

Commit 4882118 ("floppy: switch to one queue per drive instead of sharing a queue") introduced a use-after-free. We do "put_disk()" on the disk device _before_ we then clean up the queue associated with that disk. Move the put_disk() down to avoid dereferencing a free'd data structure. Cc: Jens Axboe <[email protected]> Cc: Vivek Goyal <[email protected]> Reported-and-tested-by: Randy Dunlap <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
ambv · Nov 6, 2010 · c093ee4 · c093ee4
1 parent 433039e
commit c093ee4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
@@ -4363,9 +4363,9 @@ static int __init floppy_init(void)
 out_put_disk:
 	while (dr--) {
 		del_timer(&motor_off_timer[dr]);
-		put_disk(disks[dr]);
 		if (disks[dr]->queue)
 			blk_cleanup_queue(disks[dr]->queue);
+		put_disk(disks[dr]);
 	}
 	return err;
 }