From: Vivek Goyal <vgoyal@redhat.com>
Date: Sat, 6 Nov 2010 12:16:05 +0000 (-0400)
Subject: floppy: fix another use-after-free
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d017bf6b4ff57db16a481a48bdad79274610a403;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git

floppy: fix another use-after-free

While scanning the floopy code due to c093ee4f07f4 ("floppy: fix
use-after-free in module load failure path"), I found one more instance
of trying to access disk->queue pointer after doing put_disk() on
gendisk.  For some reason , floppy moule still loads/unloads fine.  The
object is probably still around with right pointer values.

 o There seems to be one more instance of trying to cleanup the request
   queue after we have called put_disk() on associated gendisk.

 o This fix is more out of code inspection.  Even without this fix for
   some reason I am able to load/unload floppy module without any
   issues.

 o Floppy module loads/unloads fine after the fix.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 8f19b380ca83..3951020e494a 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -4573,8 +4573,8 @@ static void __exit floppy_module_exit(void)
 			device_remove_file(&floppy_device[drive].dev, &dev_attr_cmos);
 			platform_device_unregister(&floppy_device[drive]);
 		}
-		put_disk(disks[drive]);
 		blk_cleanup_queue(disks[drive]->queue);
+		put_disk(disks[drive]);
 	}
 
 	del_timer_sync(&fd_timeout);