On Tue, May 17, 2022 at 09:47:57PM +0400, Denis Efremov wrote:
Hi,
On 5/8/22 13:37, Willy Tarreau wrote:
Interrupt handler bad_flp_intr() may cause a UAF on the recently freed request just to increment the error count. There's no point keeping that one in the request anyway, and since the interrupt handler uses a static pointer to the error which cannot be kept in sync with the pending request, better make it use a static error counter that's reset for each new request. This reset now happens when entering redo_fd_request() for a new request via set_next_request().
One initial concern about a single error counter was that errors on one floppy drive could be reported on another one, but this problem is not real given that the driver uses a single drive at a time, as that PC-compatible controllers also have this limitation by using shared signals. As such the error count is always for the "current" drive.
Reported-by: Minh Yuan yuanmingbuaa@gmail.com Suggested-by: Linus Torvalds torvalds@linuxfoundation.org Tested-by: Denis Efremov efremov@linux.com Signed-off-by: Willy Tarreau w@1wt.eu
Could you please take this patch (only this one) to the stable trees?
commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream.
The patch applies cleanly to 5.17, 5.15, 5.10 kernels. I'll send a backport for 5.4 and older kernels.
All now queued up, thanks.
greg k-h