From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Denis Efremov <efremov@linux.com>
Cc: stable@vger.kernel.org, Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH 1/3] floppy: use a statically allocated error counter
Date: Thu, 19 May 2022 14:40:43 +0200 [thread overview]
Message-ID: <YoY6y+DYP4fjYh9o@kroah.com> (raw)
In-Reply-To: <236c0048-49b5-2c37-4549-d8774f243ae3@linux.com>
On Tue, May 17, 2022 at 09:47:57PM +0400, Denis Efremov wrote:
> Hi,
>
> On 5/8/22 13:37, Willy Tarreau wrote:
> > Interrupt handler bad_flp_intr() may cause a UAF on the recently freed
> > request just to increment the error count. There's no point keeping
> > that one in the request anyway, and since the interrupt handler uses
> > a static pointer to the error which cannot be kept in sync with the
> > pending request, better make it use a static error counter that's
> > reset for each new request. This reset now happens when entering
> > redo_fd_request() for a new request via set_next_request().
> >
> > One initial concern about a single error counter was that errors on
> > one floppy drive could be reported on another one, but this problem
> > is not real given that the driver uses a single drive at a time, as
> > that PC-compatible controllers also have this limitation by using
> > shared signals. As such the error count is always for the "current"
> > drive.
> >
> > Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
> > Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > Tested-by: Denis Efremov <efremov@linux.com>
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
>
> Could you please take this patch (only this one) to the stable trees?
>
> commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream.
>
> The patch applies cleanly to 5.17, 5.15, 5.10 kernels.
> I'll send a backport for 5.4 and older kernels.
All now queued up, thanks.
greg k-h
next prev parent reply other threads:[~2022-05-19 12:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-08 9:37 [PATCH 1/3] floppy: use a statically allocated error counter Willy Tarreau
2022-05-08 9:37 ` [PATCH 2/3] ataflop: use a statically allocated error counters Willy Tarreau
2022-05-08 9:37 ` [PATCH 3/3] blk-mq: remove the error_count from struct request Willy Tarreau
2022-05-09 6:14 ` [PATCH 1/3] floppy: use a statically allocated error counter Christoph Hellwig
2022-05-10 3:17 ` Willy Tarreau
2022-05-17 17:47 ` Denis Efremov
2022-05-19 12:40 ` Greg Kroah-Hartman [this message]
2022-05-17 20:12 ` [PATCH 5.10] " Denis Efremov
2022-05-17 20:23 ` [PATCH 5.4] " Denis Efremov
2022-05-17 20:35 ` [PATCH 4.19] " Denis Efremov
2022-05-17 20:46 ` [PATCH 4.9] " Denis Efremov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YoY6y+DYP4fjYh9o@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=efremov@linux.com \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.