From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Minh Yuan <yuanmingbuaa@gmail.com>,
Linus Torvalds <torvalds@linuxfoundation.org>,
Denis Efremov <efremov@linux.com>, Willy Tarreau <w@1wt.eu>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.10 03/97] floppy: use a statically allocated error counter
Date: Mon, 23 May 2022 19:05:07 +0200 [thread overview]
Message-ID: <20220523165812.830412487@linuxfoundation.org> (raw)
In-Reply-To: <20220523165812.244140613@linuxfoundation.org>
From: Willy Tarreau <w@1wt.eu>
commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream.
Interrupt handler bad_flp_intr() may cause a UAF on the recently freed
request just to increment the error count. There's no point keeping
that one in the request anyway, and since the interrupt handler uses a
static pointer to the error which cannot be kept in sync with the
pending request, better make it use a static error counter that's reset
for each new request. This reset now happens when entering
redo_fd_request() for a new request via set_next_request().
One initial concern about a single error counter was that errors on one
floppy drive could be reported on another one, but this problem is not
real given that the driver uses a single drive at a time, as that
PC-compatible controllers also have this limitation by using shared
signals. As such the error count is always for the "current" drive.
Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Tested-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -509,8 +509,8 @@ static unsigned long fdc_busy;
static DECLARE_WAIT_QUEUE_HEAD(fdc_wait);
static DECLARE_WAIT_QUEUE_HEAD(command_done);
-/* Errors during formatting are counted here. */
-static int format_errors;
+/* errors encountered on the current (or last) request */
+static int floppy_errors;
/* Format request descriptor. */
static struct format_descr format_req;
@@ -530,7 +530,6 @@ static struct format_descr format_req;
static char *floppy_track_buffer;
static int max_buffer_sectors;
-static int *errors;
typedef void (*done_f)(int);
static const struct cont_t {
void (*interrupt)(void);
@@ -1455,7 +1454,7 @@ static int interpret_errors(void)
if (drive_params[current_drive].flags & FTD_MSG)
DPRINT("Over/Underrun - retrying\n");
bad = 0;
- } else if (*errors >= drive_params[current_drive].max_errors.reporting) {
+ } else if (floppy_errors >= drive_params[current_drive].max_errors.reporting) {
print_errors();
}
if (reply_buffer[ST2] & ST2_WC || reply_buffer[ST2] & ST2_BC)
@@ -2095,7 +2094,7 @@ static void bad_flp_intr(void)
if (!next_valid_format(current_drive))
return;
}
- err_count = ++(*errors);
+ err_count = ++floppy_errors;
INFBOUND(write_errors[current_drive].badness, err_count);
if (err_count > drive_params[current_drive].max_errors.abort)
cont->done(0);
@@ -2240,9 +2239,8 @@ static int do_format(int drive, struct f
return -EINVAL;
}
format_req = *tmp_format_req;
- format_errors = 0;
cont = &format_cont;
- errors = &format_errors;
+ floppy_errors = 0;
ret = wait_til_done(redo_format, true);
if (ret == -EINTR)
return -EINTR;
@@ -2721,7 +2719,7 @@ static int make_raw_rw_request(void)
*/
if (!direct ||
(indirect * 2 > direct * 3 &&
- *errors < drive_params[current_drive].max_errors.read_track &&
+ floppy_errors < drive_params[current_drive].max_errors.read_track &&
((!probing ||
(drive_params[current_drive].read_track & (1 << drive_state[current_drive].probed_format)))))) {
max_size = blk_rq_sectors(current_req);
@@ -2846,10 +2844,11 @@ static int set_next_request(void)
current_req = list_first_entry_or_null(&floppy_reqs, struct request,
queuelist);
if (current_req) {
- current_req->error_count = 0;
+ floppy_errors = 0;
list_del_init(¤t_req->queuelist);
+ return 1;
}
- return current_req != NULL;
+ return 0;
}
/* Starts or continues processing request. Will automatically unlock the
@@ -2908,7 +2907,6 @@ do_request:
_floppy = floppy_type + drive_params[current_drive].autodetect[drive_state[current_drive].probed_format];
} else
probing = 0;
- errors = &(current_req->error_count);
tmp = make_raw_rw_request();
if (tmp < 2) {
request_done(tmp);
next prev parent reply other threads:[~2022-05-23 17:43 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 17:05 [PATCH 5.10 00/97] 5.10.118-rc1 review Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 01/97] usb: gadget: fix race when gadget driver register via ioctl Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 02/97] io_uring: always grab file table for deferred statx Greg Kroah-Hartman
2022-05-23 17:05 ` Greg Kroah-Hartman [this message]
2022-05-23 17:05 ` [PATCH 5.10 04/97] Revert "drm/i915/opregion: check port number bounds for SWSCI display power state" Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 05/97] igc: Remove _I_PHY_ID checking Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 06/97] igc: Remove phy->type checking Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 07/97] igc: Update I226_K device ID Greg Kroah-Hartman
2022-05-25 10:45 ` Pavel Machek
2022-05-26 4:02 ` Neftin, Sasha
2022-05-23 17:05 ` [PATCH 5.10 08/97] rtc: fix use-after-free on device removal Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 09/97] rtc: pcf2127: fix bug when reading alarm registers Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 10/97] um: Cleanup syscall_handler_t definition/cast, fix warning Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 11/97] Input: add bounds checking to input_set_capability() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 12/97] Input: stmfts - fix reference leak in stmfts_input_open Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 13/97] nvme-pci: add quirks for Samsung X5 SSDs Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 14/97] gfs2: Disable page faults during lockless buffered reads Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 15/97] rtc: sun6i: Fix time overflow handling Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 16/97] crypto: stm32 - fix reference leak in stm32_crc_remove Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 17/97] crypto: x86/chacha20 - Avoid spurious jumps to other functions Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 18/97] ALSA: hda/realtek: Enable headset mic on Lenovo P360 Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 19/97] s390/pci: improve zpci_dev reference counting Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 20/97] vhost_vdpa: dont setup irq offloading when irq_num < 0 Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 21/97] tools/virtio: compile with -pthread Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 22/97] nvme-multipath: fix hang when disk goes live over reconnect Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 23/97] rtc: mc146818-lib: Fix the AltCentury for AMD platforms Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 24/97] fs: fix an infinite loop in iomap_fiemap Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 25/97] MIPS: lantiq: check the return value of kzalloc() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 26/97] drbd: remove usage of list iterator variable after loop Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 27/97] platform/chrome: cros_ec_debugfs: detach log reader wq from devm Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 28/97] ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame() Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 29/97] nilfs2: fix lockdep warnings in page operations for btree nodes Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 30/97] nilfs2: fix lockdep warnings during disk space reclamation Greg Kroah-Hartman
2022-05-23 17:05 ` [PATCH 5.10 31/97] Revert "swiotlb: fix info leak with DMA_FROM_DEVICE" Greg Kroah-Hartman
2022-05-23 18:25 ` [PATCH 5.10 00/97] 5.10.118-rc1 review Florian Fainelli
2022-05-23 21:36 ` Daniel Díaz
2022-05-25 7:16 ` Greg Kroah-Hartman
2022-05-23 22:56 ` Shuah Khan
2022-05-24 9:24 ` Fox Chen
2022-05-24 14:49 ` Sudip Mukherjee
2022-05-24 15:25 ` Pavel Machek
2022-05-24 20:04 ` Guenter Roeck
2022-05-25 1:05 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523165812.830412487@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=efremov@linux.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=torvalds@linuxfoundation.org \
--cc=w@1wt.eu \
--cc=yuanmingbuaa@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.