summaryrefslogtreecommitdiff
path: root/scripts/patch-kernel
diff options
context:
space:
mode:
authorWilly Tarreau <w@1wt.eu>2022-05-08 12:37:07 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2022-05-08 20:01:48 +0300
commitf71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 (patch)
treef0c852b8b4e16189fa99aa8458a9759d7d1e8725 /scripts/patch-kernel
parent30c8e80f79329617012f07b09b70114592092ea4 (diff)
downloadlinux-f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8.tar.xz
floppy: use a statically allocated error counter
Interrupt handler bad_flp_intr() may cause a UAF on the recently freed request just to increment the error count. There's no point keeping that one in the request anyway, and since the interrupt handler uses a static pointer to the error which cannot be kept in sync with the pending request, better make it use a static error counter that's reset for each new request. This reset now happens when entering redo_fd_request() for a new request via set_next_request(). One initial concern about a single error counter was that errors on one floppy drive could be reported on another one, but this problem is not real given that the driver uses a single drive at a time, as that PC-compatible controllers also have this limitation by using shared signals. As such the error count is always for the "current" drive. Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> Tested-by: Denis Efremov <efremov@linux.com> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'scripts/patch-kernel')
0 files changed, 0 insertions, 0 deletions