diff options
author | Vivek Goyal <vgoyal@redhat.com> | 2010-11-06 08:16:05 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-11-06 07:49:56 -0700 |
commit | d017bf6b4ff57db16a481a48bdad79274610a403 (patch) | |
tree | 3b4cb3b4c3b5b024abdae29ec973cbd903afe6fc /drivers | |
parent | 151f52f09c5728ecfdd0c289da1a4b30bb416f2c (diff) | |
download | kernel_samsung_aries-d017bf6b4ff57db16a481a48bdad79274610a403.zip kernel_samsung_aries-d017bf6b4ff57db16a481a48bdad79274610a403.tar.gz kernel_samsung_aries-d017bf6b4ff57db16a481a48bdad79274610a403.tar.bz2 |
floppy: fix another use-after-free
While scanning the floopy code due to c093ee4f07f4 ("floppy: fix
use-after-free in module load failure path"), I found one more instance
of trying to access disk->queue pointer after doing put_disk() on
gendisk. For some reason , floppy moule still loads/unloads fine. The
object is probably still around with right pointer values.
o There seems to be one more instance of trying to cleanup the request
queue after we have called put_disk() on associated gendisk.
o This fix is more out of code inspection. Even without this fix for
some reason I am able to load/unload floppy module without any
issues.
o Floppy module loads/unloads fine after the fix.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/block/floppy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 8f19b38..3951020 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -4573,8 +4573,8 @@ static void __exit floppy_module_exit(void) device_remove_file(&floppy_device[drive].dev, &dev_attr_cmos); platform_device_unregister(&floppy_device[drive]); } - put_disk(disks[drive]); blk_cleanup_queue(disks[drive]->queue); + put_disk(disks[drive]); } del_timer_sync(&fd_timeout); |