| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250816162357.554462-1-kevinpaul468@gmail.com>
Date: Sat, 16 Aug 2025 21:53:57 +0530
From: Kevin Paul Reddy Janagari <kevinpaul468@...il.com>
To: efremov@...ux.com
Cc: axboe@...nel.dk,
linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org,
kevinpaul468@...il.com
Subject: [PATCH] Fix race condition leading to panic in reset_interrupt
A local syzkaller issue shows that rapidly triggering floppy ioctls
can cause a race condition between the interrupt handler and the workqueue,
leading to a NULL pointer dereference.
A valid context pointer () is overwritten with NULL between
a work item being scheduled and its execution.
This fix introduces a spinlock floppy_lock This lock protects all reads
and writes to the shared floppy_work_fn and cont global variables.
Tested in a qemu instance using crepro by syzkaller
Signed-off-by: Kevin Paul Reddy Janagari <kevinpaul468@...il.com>
---
drivers/block/floppy.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 24be0c2c4075..3a1c8b204912 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -992,7 +992,16 @@ static void (*floppy_work_fn)(void);
static void floppy_work_workfn(struct work_struct *work)
{
- floppy_work_fn();
+ void (*handler)(void);
+ unsigned long flags;
+
+ spin_lock_irqsave(&floppy_lock, flags);
+ handler = floppy_work_fn;
+
+ spin_unlock_irqrestore(&floppy_lock, flags);
+
+ if (handler)
+ handler();
}
static DECLARE_WORK(floppy_work, floppy_work_workfn);
--
2.39.5
Powered by blists - more mailing lists