diff options
| author | Willy Tarreau <w@1wt.eu> | 2022-05-08 11:37:07 +0200 | 
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2022-05-08 10:01:48 -0700 | 
| commit | f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 (patch) | |
| tree | f0c852b8b4e16189fa99aa8458a9759d7d1e8725 /lib/timerqueue.c | |
| parent | 30c8e80f79329617012f07b09b70114592092ea4 (diff) | |
floppy: use a statically allocated error counter
Interrupt handler bad_flp_intr() may cause a UAF on the recently freed
request just to increment the error count.  There's no point keeping
that one in the request anyway, and since the interrupt handler uses a
static pointer to the error which cannot be kept in sync with the
pending request, better make it use a static error counter that's reset
for each new request.  This reset now happens when entering
redo_fd_request() for a new request via set_next_request().
One initial concern about a single error counter was that errors on one
floppy drive could be reported on another one, but this problem is not
real given that the driver uses a single drive at a time, as that
PC-compatible controllers also have this limitation by using shared
signals.  As such the error count is always for the "current" drive.
Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Tested-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'lib/timerqueue.c')
0 files changed, 0 insertions, 0 deletions
