From: Vivek Goyal Date: Sat, 6 Nov 2010 12:16:05 +0000 (-0400) Subject: floppy: fix another use-after-free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d017bf6b4ff57db16a481a48bdad79274610a403;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git floppy: fix another use-after-free While scanning the floopy code due to c093ee4f07f4 ("floppy: fix use-after-free in module load failure path"), I found one more instance of trying to access disk->queue pointer after doing put_disk() on gendisk. For some reason , floppy moule still loads/unloads fine. The object is probably still around with right pointer values. o There seems to be one more instance of trying to cleanup the request queue after we have called put_disk() on associated gendisk. o This fix is more out of code inspection. Even without this fix for some reason I am able to load/unload floppy module without any issues. o Floppy module loads/unloads fine after the fix. Signed-off-by: Vivek Goyal Signed-off-by: Linus Torvalds --- diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 8f19b380ca8..3951020e494 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -4573,8 +4573,8 @@ static void __exit floppy_module_exit(void) device_remove_file(&floppy_device[drive].dev, &dev_attr_cmos); platform_device_unregister(&floppy_device[drive]); } - put_disk(disks[drive]); blk_cleanup_queue(disks[drive]->queue); + put_disk(disks[drive]); } del_timer_sync(&fd_timeout);