[PATCH] floppy: select FDC before arming timeout work

[PATCH] floppy: select FDC before arming timeout work

[Cen Zhang]

floppy_shutdown() uses current_fdc to choose which controller state
to mark for reset when fd_timeout expires. lock_fdc() currently arms
that timeout before set_fdc() has selected the drive/FDC and updated
current_drive/current_fdc.

drive_params[drive].timeout is user configurable, so the timeout
can be immediate. Even with a non-zero timeout, a delayed caller can
leave the timeout work running while set_fdc() is still testing
fdc_state[fdc].rawcmd and updating the adjacent reset bitfield. The
timeout can then use stale selected-controller state or race the reset
bitfield update.

Move the timeout arm after set_fdc() in lock_fdc(), and keep the
same ordering for the direct floppy_queue_rq() path. This ensures
fd_timeout cannot run until the selected-controller state describes
the operation being timed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
 drivers/block/floppy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 92e446a64371..f9b924a2f276 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -894,8 +894,8 @@ static int lock_fdc(int drive)
 
 	command_status = FD_COMMAND_NONE;
 
-	reschedule_timeout(drive, "lock fdc");
 	set_fdc(drive);
+	reschedule_timeout(drive, "lock fdc");
 	return 0;
 }
 
@@ -2874,8 +2874,8 @@ static blk_status_t floppy_queue_rq(struct blk_mq_hw_ctx *hctx,
 	spin_unlock_irq(&floppy_lock);
 
 	command_status = FD_COMMAND_NONE;
-	__reschedule_timeout(MAXTIMEOUT, "fd_request");
 	set_fdc(0);
+	__reschedule_timeout(MAXTIMEOUT, "fd_request");
 	process_fd_request();
 	is_alive(__func__, "");
 	return BLK_STS_OK;
-- 
2.43.0

Re: [PATCH] floppy: select FDC before arming timeout work

[Denis Efremov (Oracle)]

Hi, 

thank you for the patch.

On 04/05/2026 07:28, Cen Zhang wrote:
> floppy_shutdown() uses current_fdc to choose which controller state
> to mark for reset when fd_timeout expires. lock_fdc() currently arms
> that timeout before set_fdc() has selected the drive/FDC and updated
> current_drive/current_fdc.
> 
> drive_params[drive].timeout is user configurable, so the timeout
> can be immediate. Even with a non-zero timeout, a delayed caller can
> leave the timeout work running while set_fdc() is still testing
> fdc_state[fdc].rawcmd and updating the adjacent reset bitfield. The
> timeout can then use stale selected-controller state or race the reset
> bitfield update.
> 
> Move the timeout arm after set_fdc() in lock_fdc(), and keep the
> same ordering for the direct floppy_queue_rq() path. This ensures
> fd_timeout cannot run until the selected-controller state describes
> the operation being timed.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Cen Zhang <zzzccc427@gmail.com>

Reviewed-by: Denis Efremov (Oracle) <efremov@linux.com>

> ---
>  drivers/block/floppy.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index 92e446a64371..f9b924a2f276 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -894,8 +894,8 @@ static int lock_fdc(int drive)
>  
>  	command_status = FD_COMMAND_NONE;
>  
> -	reschedule_timeout(drive, "lock fdc");
>  	set_fdc(drive);
> +	reschedule_timeout(drive, "lock fdc");
>  	return 0;
>  }
>  
> @@ -2874,8 +2874,8 @@ static blk_status_t floppy_queue_rq(struct blk_mq_hw_ctx *hctx,
>  	spin_unlock_irq(&floppy_lock);
>  
>  	command_status = FD_COMMAND_NONE;
> -	__reschedule_timeout(MAXTIMEOUT, "fd_request");
>  	set_fdc(0);
> +	__reschedule_timeout(MAXTIMEOUT, "fd_request");
>  	process_fd_request();
>  	is_alive(__func__, "");
>  	return BLK_STS_OK;

Thanks,
Denis