From: Josef Bacik <jbacik@fb.com>
Date: Wed, 16 May 2018 18:51:17 +0000 (-0400)
Subject: nbd: fix nbd device deletion
X-Git-Tag: v4.16.18~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=481684cacb2cc00cbdb35d52edb4aa5d5e3bec39;p=thirdparty%2Fkernel%2Fstable.git

nbd: fix nbd device deletion

commit 8364da4751cf22201d74933d5e634176f44ed407 upstream.

This fixes a use after free bug, we shouldn't be doing disk->queue right
after we do del_gendisk(disk).  Save the queue and do the cleanup after
the del_gendisk.

Fixes: c6a4759ea0c9 ("nbd: add device refcounting")
cc: stable@vger.kernel.org
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 86258b00a1d4d..7a2101030683c 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -173,9 +173,12 @@ static const struct device_attribute pid_attr = {
 static void nbd_dev_remove(struct nbd_device *nbd)
 {
 	struct gendisk *disk = nbd->disk;
+	struct request_queue *q;
+
 	if (disk) {
+		q = disk->queue;
 		del_gendisk(disk);
-		blk_cleanup_queue(disk->queue);
+		blk_cleanup_queue(q);
 		blk_mq_free_tag_set(&nbd->tag_set);
 		disk->private_data = NULL;
 		put_disk(disk);