On Tue, Apr 21, 2020 at 03:57:22PM +0300, Denis Efremov wrote: > UBSAN: array-index-out-of-bounds in drivers/block/floppy.c:1521:45 > index 16 is out of range for type 'unsigned char [16]' > Call Trace: > ... > setup_rw_floppy+0x5c3/0x7f0 > floppy_ready+0x2be/0x13b0 > process_one_work+0x2c1/0x5d0 > worker_thread+0x56/0x5e0 > kthread+0x122/0x170 > ret_from_fork+0x35/0x40 > > >From include/uapi/linux/fd.h: > struct floppy_raw_cmd { > ... > unsigned char cmd_count; > unsigned char cmd[16]; > unsigned char reply_count; > unsigned char reply[16]; > ... > } > > This out-of-bounds access is intentional. The command in struct > floppy_raw_cmd may take up the space initially intended for the reply > and the reply count. It is needed for long 82078 commands such as > RESTORE, which takes 17 command bytes. Initial cmd size is not enough > and since struct setup_rw_floppy is a part of uapi we check that > cmd_count is in [0:16+1+16] in raw_cmd_copyin(). > > The patch replaces array subscript with pointer arithetic to suppress > UBSAN warning. Urghh. I think the better way would be to use a union that creates a larger cmd field, or something like: struct floppy_raw_cmd { ... u8 buf[34]; #define BUF_CMD_COUNT 0 #define BUF_CMD 1 #define BUF_REPLY_COUNT 17 #define BUF_REPLY 18 and use addressing based on that.