On Tue, May 17, 2022 at 09:47:57PM +0400, Denis Efremov wrote: > Hi, > > On 5/8/22 13:37, Willy Tarreau wrote: > > Interrupt handler bad_flp_intr() may cause a UAF on the recently freed > > request just to increment the error count. There's no point keeping > > that one in the request anyway, and since the interrupt handler uses > > a static pointer to the error which cannot be kept in sync with the > > pending request, better make it use a static error counter that's > > reset for each new request. This reset now happens when entering > > redo_fd_request() for a new request via set_next_request(). > > > > One initial concern about a single error counter was that errors on > > one floppy drive could be reported on another one, but this problem > > is not real given that the driver uses a single drive at a time, as > > that PC-compatible controllers also have this limitation by using > > shared signals. As such the error count is always for the "current" > > drive. > > > > Reported-by: Minh Yuan <yuanmingbuaa@xxxxxxxxx> > > Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxx> > > Tested-by: Denis Efremov <efremov@xxxxxxxxx> > > Signed-off-by: Willy Tarreau <w@xxxxxx> > > Could you please take this patch (only this one) to the stable trees? > > commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream. > > The patch applies cleanly to 5.17, 5.15, 5.10 kernels. > I'll send a backport for 5.4 and older kernels. All now queued up, thanks. greg k-h
